CVE-2022-1555 - OpenCVE

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Microweber	Microweber

Configuration 1 [-]

cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/microweber/microweber/commit/724e2d186a33c0c27273107dc4f160a09384877f	Patch Third Party Advisory
https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687	Exploit Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: @huntrdev

Published: 2022-05-04T08:30:12

Updated: 2022-05-04T08:30:11

Reserved: 2022-05-03T00:00:00

Link: CVE-2022-1555

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-05-04T09:15:08.523

Modified: 2022-05-11T17:34:00.370

Link: CVE-2022-1555

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "microweber/microweber", "vendor": "microweber", "versions": [{"lessThan": "1.2.16", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie..."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-04T08:30:11", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/microweber/microweber/commit/724e2d186a33c0c27273107dc4f160a09384877f"}], "source": {"advisory": "d9f9b5bd-16f3-4eaa-9e36-d4958b557687", "discovery": "EXTERNAL"}, "title": "DOM XSS in microweber ver 1.2.15 in microweber/microweber", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@huntr.dev", "ID": "CVE-2022-1555", "STATE": "PUBLIC", "TITLE": "DOM XSS in microweber ver 1.2.15 in microweber/microweber"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "microweber/microweber", "version": {"version_data": [{"version_affected": "<", "version_value": "1.2.16"}]}}]}, "vendor_name": "microweber"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie..."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687", "refsource": "CONFIRM", "url": "https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687"}, {"name": "https://github.com/microweber/microweber/commit/724e2d186a33c0c27273107dc4f160a09384877f", "refsource": "MISC", "url": "https://github.com/microweber/microweber/commit/724e2d186a33c0c27273107dc4f160a09384877f"}]}, "source": {"advisory": "d9f9b5bd-16f3-4eaa-9e36-d4958b557687", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2022-1555", "datePublished": "2022-05-04T08:30:12", "dateReserved": "2022-05-03T00:00:00", "dateUpdated": "2022-05-04T08:30:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*", "matchCriteriaId": "71C4B438-2976-4F10-9A3C-DFD10AD93AC5", "versionEndExcluding": "1.2.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie..."}, {"lang": "es", "value": "Una vulnerabilidad de tipo DOM XSS en microweber versi\u00f3n 1.2.15 en el repositorio de GitHub microweber/microweber versiones anteriores a 1.2.16. inyectar c\u00f3digo js arbitrario, desfigurar el sitio web, robar cookie..."}], "id": "CVE-2022-1555", "lastModified": "2022-05-11T17:34:00.370", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-04T09:15:08.523", "references": [{"source": "security@huntr.dev", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/microweber/microweber/commit/724e2d186a33c0c27273107dc4f160a09384877f"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/d9f9b5bd-16f3-4eaa-9e36-d4958b557687"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@huntr.dev", "type": "Secondary"}]}