Microweber has a Cross-site Scripting vulnerability

基本資訊

• GHSA ID: GHSA-5jg5-xqfw-rv92
• CVE ID: CVE-2025-70791
• 嚴重性: LOW
• 發布時間: 2026-02-05T18:30:32Z
• 來源: GitHub Advisory

漏洞描述

Cross-site Scripting vulnerability in the “/admin/order/abandoned” endpoint of Microweber 2.0.19. An attacker can manipulate the “orderDirection” parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim’s browser. The issue was reported to the developers and fixed in version 2.0.20.

影響範圍

• composer:microweber/microweber (< 2.0.20) → 2.0.20

CVSS 評分

• CVSS v4: 2.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P)
• CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CWE 分類

• CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

EPSS 評分

• EPSS: 0.00036 (percentile: 0.10461)

萃取備註

• 資料來源: GitHub Security Advisories Database
• 信心水準: 高(官方漏洞資料庫)
• 處理時間: 2026-02-08T07:50:08.407440