CVE-2022-0378 Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

XSS is when a client side script is injected into a server side script, which can lead to a wide variety of vulnerabilities. Packagist prior to version 1.2.11 allowed you to use the %= %> tag to inject client side code into server side code, which did make XSS injection trivial. Due to this dangerous bug, you should upgrade to the latest version of Packagist as soon as possible. If you’re running an older version of Packagist, you should look into the following XSS prevention tips. - Reflected in Packagist microweber/microweber prior to 1.2.11. XSS is when a client side script is injected into a server side script, which can lead to a wide variety of vulnerabilities. Packagist prior to version 1.2.11 allowed you to use the tag to inject client side code into server side code, which did make XSS injection trivial. Due to this dangerous bug, you should upgrade to the latest version of Packagist as soon as possible. If you’re running an older version of Packagist, you should look into the following XSS prevention tips.

Install and configure HTTPS

HTTPS is important for many reasons. It ensures that your communication with a website is encrypted and data isn't accidentally leaked to third-party parties. Another benefit of HTTPS is that it acts as a signal to search engines, letting them know you are taking precautions to protect the privacy of your users. If all of this sounds too complex for you, there are a few simple steps you can take to avoid any potential vulnerabilities from being exploited.

Reflected in Composer prior to 1.2.11

Reflected XSS is when a client side script is injected into a server side script, which can lead to a wide variety of vulnerabilities. Composer prior to version 1.2.11 allowed you to use the %= %> tag to inject client side code into server side code, which did make XSS injection trivial. Due to this dangerous bug, you should upgrade to the latest version of Composer as soon as possible. If you’re running an older version of Composer, you should look into the following XSS prevention tips.
- Reflected in Packagist microweber/microweber prior to 1.2.11.

Reflected in Packagist microweber/microweber prior to 1.2.11

The following code was found in Packagist microweber/microweber prior to version 1.2.11:

Filtering of user input

String literals are allowed in Packagist microweber/microweber prior to 1.2.11 and a malicious user could use this flaw to inject client side code into server side code. The best way to prevent this is by filtering user input before they hit the server, which should be done using the FilterInput class or FilterOutput class.

Timeline

Published on: 01/26/2022 16:15:00 UTC
Last modified on: 02/02/2022 16:03:00 UTC

References