Lucene search

GitHub Advisory DatabaseGHSA-GMH3-X5W7-JG5M

HistoryJul 10, 2022 - 12:00 a.m.

Microweber before v1.2.20 vulnerable to cross-site scripting

2022-07-1000:00:47

CWE-79

CWE-352

GitHub Advisory Database

github.com

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

28.9%

JSON

Prior to Microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery (CSRF), fetch contents from same-site and redirect a user.

CPENameOperatorVersion
microweber/microweberlt1.2.20

CPE	Name	Operator	Version
	microweber/microweber	lt	1.2.20

References

github.com/advisories/GHSA-gmh3-x5w7-jg5m

github.com/microweber/microweber/commit/79c6914bab8c9da07ac950fda17648d08c68b130

huntr.dev/bounties/7782c095-9e8c-48b0-a7f5-3a8f52e8af52

nvd.nist.gov/vuln/detail/CVE-2022-2353

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

28.9%

JSON

Related for GHSA-GMH3-X5W7-JG5M