CVE-2022-3245 - Vulnerability Details - OpenCVE

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00455.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Microweber	Microweber

Configuration 1 [-]

cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-6825	HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
Github GHSA	GHSA-gm8c-w9cm-c445	Microweber vulnerable to HTML Injection in create tag functionality

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc
https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0

History

Tue, 27 May 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-09-20T13:15:20.000Z

Updated: 2025-05-27T18:08:26.195Z

Reserved: 2022-09-20T00:00:00.000Z

Link: CVE-2022-3245

Vulnrichment

Updated: 2024-08-03T01:07:06.031Z

NVD

Status : Modified

Published: 2022-09-20T14:15:09.783

Modified: 2024-11-21T07:19:08.013

Link: CVE-2022-3245

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "microweber/microweber", "vendor": "microweber", "versions": [{"lessThan": "1.3.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-20T13:15:19.000Z", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc"}], "source": {"advisory": "747c2924-95ca-4311-9e69-58ee0fb440a0", "discovery": "EXTERNAL"}, "title": " Code Injection in display of tag title on saving tags in microweber/microweber", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-3245", "STATE": "PUBLIC", "TITLE": " Code Injection in display of tag title on saving tags in microweber/microweber"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "microweber/microweber", "version": {"version_data": [{"version_affected": "<", "version_value": "1.3.2"}]}}]}, "vendor_name": "microweber"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0"}, {"name": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc", "refsource": "MISC", "url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc"}]}, "source": {"advisory": "747c2924-95ca-4311-9e69-58ee0fb440a0", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:06.031Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T18:08:10.041956Z", "id": "CVE-2022-3245", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T18:08:26.195Z"}}]}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-3245", "datePublished": "2022-09-20T13:15:20.000Z", "dateReserved": "2022-09-20T00:00:00.000Z", "dateUpdated": "2025-05-27T18:08:26.195Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:06.031Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-3245", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-27T18:08:10.041956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T16:10:55.583Z"}}], "cna": {"title": " Code Injection in display of tag title on saving tags in microweber/microweber", "source": {"advisory": "747c2924-95ca-4311-9e69-58ee0fb440a0", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "microweber", "product": "microweber/microweber", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.3.2", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2022-09-20T13:15:19.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, "source": {"advisory": "747c2924-95ca-4311-9e69-58ee0fb440a0", "discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.3.2", "version_affected": "<"}]}, "product_name": "microweber/microweber"}]}, "vendor_name": "microweber"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0", "name": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0", "refsource": "CONFIRM"}, {"url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc", "name": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-3245", "STATE": "PUBLIC", "TITLE": " Code Injection in display of tag title on saving tags in microweber/microweber", "ASSIGNER": "security@huntr.dev"}}}}, "cveMetadata": {"cveId": "CVE-2022-3245", "state": "PUBLISHED", "dateUpdated": "2025-05-27T18:08:26.195Z", "dateReserved": "2022-09-20T00:00:00.000Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2022-09-20T13:15:20.000Z", "assignerShortName": "@huntrdev"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*", "matchCriteriaId": "7909A23C-454B-4641-904E-E38E669A5745", "versionEndExcluding": "1.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input."}, {"lang": "es", "value": "Un ataque de inyecci\u00f3n HTML est\u00e1 estrechamente relacionado con un ataque de tipo Cross-site Scripting (XSS). La inyecci\u00f3n de HTML usa HTML para desfigurar la p\u00e1gina. El ataque de tipo XSS, como su nombre indica, inyecta JavaScript en la p\u00e1gina. Ambos ataques son aprovechados de una comprobaci\u00f3n insuficiente de las entradas del usuario"}], "id": "CVE-2022-3245", "lastModified": "2024-11-21T07:19:08.013", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-20T14:15:09.783", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/microweber/microweber/commit/f20abf30a1d9c1426c5fb757ac63998dc5b92bfc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/747c2924-95ca-4311-9e69-58ee0fb440a0"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}