Miggo Logo
Miggo Vulnerability Database
CVE-2022-38073

CVE-2022-38073: Awesome Support vulnerable to persistent cross-site scripting

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-38073
GHSA ID
GHSA-qrqm-574x-q7f2
EPSS Score
0.38243%
CWE
CWE-79
Published
9/22/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
awesome-support/awesome-supportcomposer<= 6.0.76.0.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key areas: 1) Ticket content handling in wpas_filter_ticket_data lacked wp_kses() sanitization for post_content, allowing XSS payloads in ticket bodies. 2) Custom field sanitization in get_sanitized_value didn't encode HTML entities, enabling script injection through custom fields. The GitHub commit explicitly addresses both points by adding wp_kses() for post_content and htmlentities() encoding, directly correlating to CWE-79 XSS mitigation patterns. The functions' roles in processing user input and the specific patch changes confirm their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ut**nti**t** (*ustom sp**i*i* plu*in rol*) P*rsist*nt *ross-Sit* S*riptin* (XSS) vuln*r**ility in *w*som* Support plu*in <= *.*.* *t Wor*Pr*ss.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *r**s: *) Ti*k*t *ont*nt **n*lin* in wp*s_*ilt*r_ti*k*t_**t* l**k** wp_ks*s() s*nitiz*tion *or post_*ont*nt, *llowin* XSS p*ylo**s in ti*k*t *o*i*s. *) *ustom *i*l* s*nitiz*tion in **t_s*nitiz**_v*lu* *i*n't *n*o*