Miggo Logo
Miggo Vulnerability Database
CVE-2024-33299

CVE-2024-33299: Microweber Cross-site Scripting vulnerability

4.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-33299
GHSA ID
GHSA-97h9-p9f8-4p3r
EPSS Score
0.36555%
CWE
CWE-79
Published
1/10/2025
Updated
1/13/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer<= 2.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability requires both improper input handling (storage phase) and unsafe output rendering (display phase). Based on the endpoint (/admin/module/view?type=users) and affected parameters:

  1. The view rendering function is vulnerable due to missing output encoding when displaying user data
  2. The user update function is vulnerable due to insufficient input validation/sanitization Confidence is medium as we infer patterns from PHP CMS architectures without direct code access, but the attack vector clearly implicates both storage and display phases of user data handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* vuln*r**ility in Mi*row***r v.*.*.* *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** *irst N*m* *n* L*st N*m* p*r*m*t*rs in t** *n*point /**min/mo*ul*/vi*w?typ*=us*rs

Reasoning

T** vuln*r**ility r*quir*s *ot* improp*r input **n*lin* (stor*** p**s*) *n* uns*** output r*n**rin* (*ispl*y p**s*). **s** on t** *n*point (/**min/mo*ul*/vi*w?typ*=us*rs) *n* *****t** p*r*m*t*rs: *. T** vi*w r*n**rin* *un*tion is vuln*r**l* *u* to m