.. / CVE-2022-0678

Exploit for Microweber <1.2.11 - Cross-Site Scripting (CVE-2022-0678)

Description:

Packagist prior to 1.2.11 contains a cross-site scripting vulnerability via microweber/microweber. User can escape the meta tag because the user doesn’t escape the double-quote in the $redirectUrl parameter when logging out.

Nuclei Template

View the template here CVE-2022-0678.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2022/CVE-2022-0678.yaml

References:

https://github.com/microweber/microweber/commit/2b8fa5aac31e51e2aca83c7ef5d1281ba2e755f8
https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0
https://huntr.dev/bounties/d707137a-aace-44c5-b15c-1807035716c0/
https://twitter.com/CVEnew/status/1495001503249178624?s=20&t=sfABvm7oG39Fd6rG44vQWg
https://nvd.nist.gov/vuln/detail/CVE-2022-0678

.. / CVE-2022-0678 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Microweber <1.2.11 - Cross-Site Scripting (CVE-2022-0678)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2022-0678