Skip to main content

Microweber CVE-2022-2353

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2022-07-09 security@huntr.dev
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 09, 2022 - 09:15 nvd
MEDIUM 6.1

DescriptionNVD

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.

AnalysisAI

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. Affected products include: Microweber.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2025-34076 HIGH POC
7.2 Jul 02

An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the ba

CVE-2023-1877 CRITICAL POC
9.8 Apr 05

Command Injection in GitHub repository microweber/microweber prior to 1.3.3. Rated critical severity (CVSS 9.8), this vu

CVE-2022-2368 CRITICAL POC
9.8 Jul 11

Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. Rated critical severity (C

CVE-2022-0895 CRITICAL POC
9.8 Mar 10

Static Code Injection in GitHub repository microweber/microweber prior to 1.3. Rated critical severity (CVSS 9.8), this

CVE-2023-49052 HIGH POC
8.8 Nov 30

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script

CVE-2022-33012 HIGH POC
8.8 Nov 22

Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.

CVE-2022-1631 HIGH POC
8.8 May 09

Users Account Pre-Takeover or Users Account Takeover. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2022-0896 HIGH POC
8.8 Mar 09

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior t

CVE-2018-17104 HIGH POC
8.8 Sep 16

An issue was discovered in Microweber 1.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2014-9464 HIGH POC
7.5 Jan 03

SQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute ar

CVE-2020-13241 HIGH POC
7.8 May 20

Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not veri

CVE-2023-48122 HIGH POC
7.5 Dec 08

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTT

Share

CVE-2022-2353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy