CVE-2022-40487 - Multiple Cross-Site Scripting on ProcessWire

1. Vulnerability Properties

Title: Multiple Cross-Site Scripting on ProcessWire
CVE ID: CVE-2022-40487
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Vendor: ProcessWire
Products: ProcessWire
Advisory Release Date: 06 April 2023
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-40487/
Credits: Discovery by Filipe Azevedo (filipaze) <fa[at]integrity.pt> & Guilherme Santos (rondons) <gs[at]integrity.pt>

2. Vulnerability Summary

ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted payload.

3. Vulnerable Versions

  • <= 3.0.200

4. Solution

  • Update to version 3.0.206

5. Vulnerability Timeline

  • 09/Sept/22 -Bug reported to ProcessWire
  • 12/Sept/22 - Bug verified by vendor
  • 31/Oct/22 - Bug fixed by vendor
  • 06/Apr/23 - Advisory released

6. References



© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.