CVE-2025-70791

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-70791

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70791.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-70791

Aliases

GHSA-5jg5-xqfw-rv92

Published

2026-02-05T17:16:13Z

Modified

2026-03-13T03:50:59.496026Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.

References

Affected packages

Git / github.com/microweber/microweber

Affected ranges

Type

GIT

Repo

https://github.com/microweber/microweber

Events

Introduced

Last affected

f3c3f09258e4aeba296a599348ebcfb00f3d285a

Fixed

aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.19"
        }
    ]
}

Affected versions

1.*

1.0.3

1.0.5-fix1

1.0.6

1.0.7

1.0.7-fix1

1.1

1.2.9

v1.*

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.2.18

v1.2.19

v1.2.20

v1.2.21

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70791.json"