Skip to content

Instantly share code, notes, and snippets.

@filipaze
Last active October 19, 2022 14:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save filipaze/32ab8683af8d82827028164e361b6e86 to your computer and use it in GitHub Desktop.
Save filipaze/32ab8683af8d82827028164e361b6e86 to your computer and use it in GitHub Desktop.
CVE-2022-40487
ProcessWire Cross-Site Scripting (XSS)
Version: ProcessWire v3.0.200 and older versions
Description:
ProcessWire is a free content management system (CMS) and framework (CMF).
Vulnerability:
ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function.
ProcessWire fails in sanitizing the user input in this functions allowing an attacker to inject malicious javascript into the victim's page.
Fix URL: https://github.com/processwire/processwire/commit/95bdbf76ba0761d7fa1e8a5f8334b790da0a394b
Credits:
These vulnerabilities were discovered by Filipe Azevedo e Guilherme Santos.
We worked with the ProcessWire security team to have these security flaws
reported and fixed.
We would like to publicly thank Ryan for his prompt response!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment