CVE-2022-2495: Microweber Stored Cross-site Scripting before v1.2.20
4.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54078%
CWE
Published
7/23/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| microweber/microweber | composer | < 1.2.20 | 1.2.20 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the SVG handling code in plupload.php. The pre-patch code:
- Initialized $valid = true regardless of sanitization success
- Lacked try-catch blocks around the sanitize() call
- Saved the SVG content without verifying if sanitization actually succeeded
This created a scenario where:
- Malicious SVG content could bypass sanitization (if the sanitizer failed silently)
- The system would persist the unsanitized file
- Subsequent rendering of the SVG would execute embedded scripts
The patch added exception handling, validation checks, and only marks files as valid after confirmed successful sanitization, confirming this as the vulnerability source.