Headline
CVE-2022-2353: update · microweber/microweber@79c6914
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
@@ -87,14 +87,24 @@ if (isset($_GET[‘autosize’])) { $autoSize = $_GET[‘autosize’]; } $autoSize = xss_clean($autoSize); $autoSize = intval($autoSize);
$type = '’; if (isset($_GET[‘type’])) { $type = $_GET[‘type’]; } $type = xss_clean($type);
$other = [ ';’, '\’’, '//’, '`’, '\\’,
]; $type = str_replace($other, '’, $type);
$mod_id = $mod_orig_id = false; $is_linked_mod = false;
@@ -108,6 +118,8 @@ if ($mod_id != $mod_orig_id) { $is_linked_mod = true; }
?>
<script type="text/javascript"> @@ -124,7 +136,7 @@ addIcon();
autoSize = <?php print $autoSize; ?>; settingsType = '<?php print $type; ?>’; settingsType = '<?php print htmlentities($type); ?>’;
window.onbeforeunload = function () { $(document.body).addClass(“mw-external-loading”)
Related news
Prior to Microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.