Miggo Logo
Miggo Vulnerability Database
CVE-2022-0963

CVE-2022-0963:
Unrestricted XML files leading to cross-site scripting in Microweber

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-0963
GHSA ID
GHSA-q3x2-jvp3-wj78
EPSS Score
0.88805%
CWE
CWE-79
Published
3/16/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.121.2.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows XML was removed from allowed extensions in the get_allowed_files_extensions_for_upload function. This function controlled upload permissions, and its inclusion of XML enabled the XSS vector. The direct modification in the patch confirms this was the vulnerable entry point. The CWE-79 classification aligns with unrestricted upload leading to stored XSS, which matches the function's responsibility in handling upload permissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r prior to *.*.** *llows unr*stri*t** uplo** o* XML *il*s, w*i** m*li*ious **tors **n *xploit to **us* * stor** *ross-sit* s*riptin* *tt**k.

Reasoning

T** *ommit *i** s*ows XML w*s r*mov** *rom *llow** *xt*nsions in t** **t_*llow**_*il*s_*xt*nsions_*or_uplo** *un*tion. T*is *un*tion *ontroll** uplo** p*rmissions, *n* its in*lusion o* XML *n**l** t** XSS v**tor. T** *ir**t mo*i*i**tion in t** p*t**