CVE-2022-1439 - OpenCVE

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microweber	Microweber

Configuration 1 [-]

cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8
https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-04-22T16:30:14

Updated: 2024-08-03T00:03:06.181Z

Reserved: 2022-04-22T00:00:00

Link: CVE-2022-1439

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-22T17:15:07.973

Modified: 2022-04-29T04:31:01.377

Link: CVE-2022-1439

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "microweber/microweber", "vendor": "microweber", "versions": [{"lessThan": "1.2.15", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press \"tab\" but there is probably a paylaod that runs without user interaction."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-22T16:30:14", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8"}], "source": {"advisory": "86f6a762-0f3d-443d-a676-20f8496907e0", "discovery": "EXTERNAL"}, "title": "Reflected XSS on demo.microweber.org/demo/module/ in microweber/microweber", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-1439", "STATE": "PUBLIC", "TITLE": "Reflected XSS on demo.microweber.org/demo/module/ in microweber/microweber"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "microweber/microweber", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.15"}]}}]}, "vendor_name": "microweber"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press \"tab\" but there is probably a paylaod that runs without user interaction."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0"}, {"name": "https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8", "refsource": "MISC", "url": "https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8"}]}, "source": {"advisory": "86f6a762-0f3d-443d-a676-20f8496907e0", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:03:06.181Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8"}]}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-1439", "datePublished": "2022-04-22T16:30:14", "dateReserved": "2022-04-22T00:00:00", "dateUpdated": "2024-08-03T00:03:06.181Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*", "matchCriteriaId": "57D6F9DE-268A-46B1-94D1-A49D9AFE4DB3", "versionEndExcluding": "1.2.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press \"tab\" but there is probably a paylaod that runs without user interaction."}, {"lang": "es", "value": "Una vulnerabilidad de tipo XSS reflejado en demo.microweber.org/demo/module/ en el repositorio de GitHub microweber/microweber versiones anteriores a 1.2.15. Ejecuta JavaScript arbitrario como el usuario atacado. Es la \u00fanica carga \u00fatil que he encontrado que funciona, es posible que haya que pulsar \"tab\" pero probablemente haya una carga \u00fatil que sea ejecutada sin la interacci\u00f3n del usuario"}], "id": "CVE-2022-1439", "lastModified": "2022-04-29T04:31:01.377", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-22T17:15:07.973", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/microweber/microweber/commit/ad3928f67b2cd4443f4323d858b666d35a919ba8"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/86f6a762-0f3d-443d-a676-20f8496907e0"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@huntr.dev", "type": "Secondary"}]}