CVE-2022-0913 – This integer overflow vulnerability in Microweb... (How to Fix)

Q: What is the severity of CVE-2022-0913?

CVE-2022-0913 has a CVSS score of 7.5 (HIGH). This integer overflow vulnerability in Microweber CMS allows attackers to cause denial of service or potentially execute arbitrary code by triggering memory corruption. It affects all Microweber installations prior to version 1.3, particularly those exposed to untrusted user input.

📋 TL;DR

This integer overflow vulnerability in Microweber CMS allows attackers to cause denial of service or potentially execute arbitrary code by triggering memory corruption. It affects all Microweber installations prior to version 1.3, particularly those exposed to untrusted user input.

💻 Affected Systems

Products:

Microweber CMS

Versions: All versions prior to 1.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with default configuration. Requires user input to trigger.

📦 What is this software?

Microweber by Microweber

View all CVEs affecting Microweber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing application crashes and service disruption.

🟢

If Mitigated

Limited impact with proper input validation and memory protections in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific input to trigger integer overflow. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3 and later

Vendor Advisory: https://github.com/microweber/microweber/commit/7559e141d0707f8eeff2f9aeaa5a0ca2e3fe6583

Restart Required: Yes

Instructions:

1. Backup your Microweber installation and database. 2. Update to Microweber 1.3 or later via the admin panel or manual download. 3. Restart your web server. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for numeric parameters to prevent overflow conditions.

Add input validation in PHP code: if (!is_numeric($input) || $input > PHP_INT_MAX) { die('Invalid input'); }

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious integer inputs
Restrict access to vulnerable endpoints using network segmentation or authentication

🔍 How to Verify

Check if Vulnerable:

Check Microweber version in admin panel or via composer show microweber/microweber

Check Version:

composer show microweber/microweber | grep version

Verify Fix Applied:

Verify version is 1.3 or higher and check that the commit 7559e141d0707f8eeff2f9aeaa5a0ca2e3fe6583 is applied

📡 Detection & Monitoring

Log Indicators:

Unusual large integer values in request parameters
Application crashes or segmentation faults in error logs

Network Indicators:

HTTP requests with abnormally large numeric parameters
Repeated requests to vulnerable endpoints

SIEM Query:

source="web_server_logs" AND (param_value>2147483647 OR param_value<-2147483648)

📊 Metadata

CVE ID: CVE-2022-0913

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

Published: March 11, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/microweber/microweber/commit/7559e141d0707f8eeff2f9aeaa5a0ca2e3fe6583 Patch,Third Party Advisory
https://huntr.dev/bounties/f5f3e468-663b-4df0-8340-a2d77e4cc75f Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/microweber/microweber/commit/7559e141d0707f8eeff2f9aeaa5a0ca2e3fe6583 Patch,Third Party Advisory
https://huntr.dev/bounties/f5f3e468-663b-4df0-8340-a2d77e4cc75f Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0913, you might also want to check these: