Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2022-2353

CVE-2022-2353:
Microweber before v1.2.20 vulnerable to cross-site scripting

6.3

CVSS Score

Basic Information

CVE ID
CVE-2022-2353
GHSA ID
GHSA-gmh3-x5w7-jg5m
EPSS Score
-
CWE
CWE-79
Published
7/10/2022
Updated
6/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.201.2.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output encoding in the JavaScript block where the $type variable was directly printed without context-aware escaping. The patch added htmlentities() to sanitize the output and removed dangerous characters via str_replace(), confirming the original code's insufficient neutralization. The file/module handling user-supplied 'type' parameter was identified as the injection point through the commit diff analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prior to Mi*row***r v*.*.**, *u* to improp*r n*utr*liz*tion o* input, *n *tt**k*r **n st**l tok*ns to p*r*orm *ross-sit* r*qu*st *or**ry (*SR*), **t** *ont*nts *rom s*m*-sit* *n* r**ir**t * us*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* in t** J*v*S*ript *lo*k w**r* t** $typ* v*ri**l* w*s *ir**tly print** wit*out *ont*xt-*w*r* *s**pin*. T** p*t** ***** *tml*ntiti*s() to s*nitiz* t** output *n* r*mov** **n**rous ***r**t*rs vi* str