Miggo Logo

CVE-2022-2130: Cross-site Scripting in Microweber

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.9309%
Published
6/21/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer<= 1.2.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stems from the 'temp' function handling user input (val) without adequate sanitization. The patch adds 'val = (val || '').trim()', indicating prior lack of input cleansing. Since this function directly modifies CSS rules applied to the document, unescaped input could lead to script execution via CSS injection vectors (e.g., 'javascript:' URIs or expression() in legacy browsers). The CWE-79 alignment and the nature of the fix (added sanitization) strongly point to this function as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r v*rsions *.*.** *n* prior *r* vuln*r**l* to *ross-sit* s*riptin*. * p*t** is *v*il**l* on t** `**v l*r*v*l*-p*p*` *r*n** o* t** r*pository.

Reasoning

T** k*y vuln*r**ility st*ms *rom t** 't*mp' *un*tion **n*lin* us*r input (v*l) wit*out ***qu*t* s*nitiz*tion. T** p*t** ***s 'v*l = (v*l || '').trim()', in*i**tin* prior l**k o* input *l**nsin*. Sin** t*is *un*tion *ir**tly mo*i*i*s *SS rul*s *ppli**