CVE-2022-0928: Cross-site Scripting in microweber
6.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.88906%
CWE
Published
3/12/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
microweber/microweber | composer | < 1.2.12 | 1.2.12 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from API endpoints handling tax operations without proper input validation or XSS protection. The patch removed these vulnerable endpoints from api_callbacks.php and relocated them to Laravel routes with 'xss' middleware while adding validation rules. The pre-patch TaxManager::save method accepted raw user input without length checks or sanitization, making the API callback handlers the primary injection vector. The medium confidence on delete_tax_item reflects that while less directly exploitable, it was part of the same vulnerable pattern.