Miggo Logo
Miggo Vulnerability Database
CVE-2022-1504

CVE-2022-1504: Cross-site Scripting in microweber

6.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2022-1504
GHSA ID
GHSA-6xj3-fhrf-rjgc
EPSS Score
0.55008%
CWE
CWE-79
Published
4/28/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.151.2.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS vulnerability stemmed from insufficient input sanitization in the module endpoint handler. The commit diff shows replacement of AntiXSS with a custom XSSClean class that adds protection against 80+ event handler attributes. The original AntiXSS implementation in module() only performed basic tag stripping and xss_clean(), but didn't block modern event handlers demonstrated in the test case (ontransitionrun=alert(1)). The vulnerable function directly processes the 'module' parameter from the URL without proper context-aware output encoding, making it susceptible to reflected XSS payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XSS in /**mo/mo*ul*/?mo*ul*=**R* in *it*u* r*pository mi*row***r/mi*row***r prior to *.*.**. Typi**l imp**t o* XSS *tt**ks.

Reasoning

T** XSS vuln*r**ility st*mm** *rom insu**i*i*nt input s*nitiz*tion in t** mo*ul* *n*point **n*l*r. T** *ommit *i** s*ows r*pl***m*nt o* `*ntiXSS` wit* * *ustom `XSS*l**n` *l*ss t**t ***s prot**tion ***inst **+ *v*nt **n*l*r *ttri*ut*s. T** ori*in*l `