Headline
CVE-2022-2777: update · microweber/microweber@60eef74
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
@@ -14,7 +14,8 @@ public function handle(Request $request, Closure $next)
$input = $request->all();
if ($request->isMethod(‘post’) and !empty($input)) {
if (($request->isMethod(‘post’) or $request->isMethod(‘patch’)) and !empty($input)) {
$clean = new HTMLClean();
array_walk_recursive($input, function (&$input) use ($clean) {
if (is_string($input)) {
@@ -23,7 +24,6 @@ public function handle(Request $request, Closure $next)
});
}
$request->merge($input);
return $next($request);
}
Related news
GHSA-cf6r-q678-f2p7: Cross-site Scripting in microweber
In Microweber prior to v1.3.1, the title parameter in the body of POST request when creating/editing a category is vulnerable to stored cross-site scripting.