Miggo Logo
Miggo Vulnerability Database
CVE-2022-2495

CVE-2022-2495: Microweber Stored Cross-site Scripting before v1.2.20

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2495
GHSA ID
GHSA-xg72-6c83-ghh4
EPSS Score
0.54078%
CWE
CWE-79
Published
7/23/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.2.201.2.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the SVG handling code in plupload.php. The pre-patch code:

  1. Initialized $valid = true regardless of sanitization success
  2. Lacked try-catch blocks around the sanitize() call
  3. Saved the SVG content without verifying if sanitization actually succeeded

This created a scenario where:

  • Malicious SVG content could bypass sanitization (if the sanitizer failed silently)
  • The system would persist the unsanitized file
  • Subsequent rendering of the SVG would execute embedded scripts

The patch added exception handling, validation checks, and only marks files as valid after confirmed successful sanitization, confirming this as the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row*r**r prior to v*rsion *.*.** is vuln*r**l* to stor** *ross-sit* S*riptin* (XSS).

Reasoning

T** vuln*r**ility st*ms *rom t** SV* **n*lin* *o** in pluplo**.p*p. T** pr*-p*t** *o**: *. Initi*liz** $v*li* = tru* r***r*l*ss o* s*nitiz*tion su***ss *. L**k** try-**t** *lo*ks *roun* t** s*nitiz*() **ll *. S*v** t** SV* *ont*nt wit*out v*ri*yin* i