Miggo Logo

CVE-2022-0928: Cross-site Scripting in microweber

6.8

CVSS Score
3.0

Basic Information

EPSS Score
0.88906%
Published
3/12/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.121.2.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from API endpoints handling tax operations without proper input validation or XSS protection. The patch removed these vulnerable endpoints from api_callbacks.php and relocated them to Laravel routes with 'xss' middleware while adding validation rules. The pre-patch TaxManager::save method accepted raw user input without length checks or sanitization, making the API callback handlers the primary injection vector. The medium confidence on delete_tax_item reflects that while less directly exploitable, it was part of the same vulnerable pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r *r** *n* *rop w**sit* *uil**r *n* *MS wit* *-*omm*r**. *ross-sit* S*riptin* (XSS) *is*ov*r** in mi*row***r prior to *.*.**. T**r* is *urr*ntly no known work*roun*, us*rs *r* r**omm*n*** to up**t* to v*rsion *.*.**.

Reasoning

T** vuln*r**ility st*mm** *rom *PI *n*points **n*lin* t*x op*r*tions wit*out prop*r input v*li**tion or XSS prot**tion. T** p*t** r*mov** t**s* vuln*r**l* *n*points *rom *pi_**ll***ks.p*p *n* r*lo**t** t**m to L*r*v*l rout*s wit* 'xss' mi**l*w*r* w*i