Miggo Logo
Miggo Vulnerability Database
CVE-2022-38975

CVE-2022-38975:
EC-CUBE DOM-based cross-site scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-38975
GHSA ID
GHSA-pggw-rqfm-72rh
EPSS Score
-
CWE
CWE-79
Published
9/28/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ec-cube/ec-cubecomposer>= 4.0.0, <= 4.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided information primarily contains patch details and code diffs for CVE-2022-40199 (directory traversal), but no specific code examples or diffs related to the DOM-based XSS vulnerability (CVE-2022-38975). DOM-based XSS typically involves client-side JavaScript handling of untrusted data, but the available resources don't show the vulnerable client-side code paths or the corresponding fixes. The advisory descriptions indicate the vulnerability exists in admin interfaces through crafted pages, but without concrete code references or patch diffs for the XSS issue, we cannot confidently identify specific vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*OM-**s** *ross-sit* s*riptin* vuln*r**ility in **-*U** * s*ri*s (**-*U** *.*.* to *.*.*) *llows * r*mot* *tt**k*r to inj**t *n *r*itr*ry s*ript *y **vin* *n **ministr*tiv* us*r o* t** pro*u*t to visit * sp**i*lly *r**t** p***.

Reasoning

T** provi*** in*orm*tion prim*rily *ont*ins p*t** **t*ils *n* *o** *i**s *or *V*-****-***** (*ir**tory tr*v*rs*l), *ut no sp**i*i* *o** *x*mpl*s or *i**s r*l*t** to t** *OM-**s** XSS vuln*r**ility (*V*-****-*****). *OM-**s** XSS typi**lly involv*s *l