GHSA-cf6r-q678-f2p7

Source

https://github.com/advisories/GHSA-cf6r-q678-f2p7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-cf6r-q678-f2p7/GHSA-cf6r-q678-f2p7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cf6r-q678-f2p7

Aliases

CVE-2022-2777

Published

2022-08-12T00:01:25Z

Modified

2023-11-08T04:09:00.444229Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H CVSS Calculator

Summary

Microweber's title parameter in the body of POST request vulnerable to stored XSS

Details

In Microweber prior to v1.3.1, the title parameter in the body of POST request when creating/editing a category is vulnerable to stored cross-site scripting.

Database specific

{
    "nvd_published_at": "2022-08-11T11:15:00Z",
    "github_reviewed_at": "2022-08-12T15:30:00Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / microweber/microweber

Package

Name: microweber/microweber
Purl: pkg:composer/microweber/microweber

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.1

Affected versions

0.*

0.9.346

0.93

0.931

0.934

0.951

1.*

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1

v1.*

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.2.18

v1.2.19

v1.2.20

v1.2.21

v1.3.0