Miggo Logo
Miggo Vulnerability Database
CVE-2022-2174

CVE-2022-2174:
Cross-site Scripting in Microweber

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2174
GHSA ID
GHSA-3x96-m42v-hvh5
EPSS Score
0.94662%
CWE
CWE-79
Published
6/23/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.181.2.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch adds xss_clean() sanitization to $_GET['autosize'] and $_GET['type'], and adds isset() checks for $params['id'] usage. This indicates three vulnerable patterns: 1) Unsanitized $_GET parameters reflected in HTML/output, 2) Direct interpolation of parameters into JavaScript contexts, and 3) Unvalidated $params['id'] usage in DOM attributes. The vulnerability stems from missing input validation and output encoding when handling these user-controllable parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - R**l**t** in *it*u* r*pository mi*row***r/mi*row***r prior to *.*.**.

Reasoning

T** p*t** ***s xss_*l**n() s*nitiz*tion to $_**T['*utosiz*'] *n* $_**T['typ*'], *n* ***s iss*t() ****ks *or $p*r*ms['i*'] us***. T*is in*i**t*s t*r** vuln*r**l* p*tt*rns: *) Uns*nitiz** $_**T p*r*m*t*rs r**l**t** in *TML/output, *) *ir**t int*rpol*ti