CVE-2024-58289

Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/microweber/microweber	Product
https://microweber.me/	Broken Link
https://www.exploit-db.com/exploits/52058	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:microweber:microweber:2.0.15:*:*:*:*:*:*:*

History

12 Jan 2026, 16:15

Type	Values Removed	Values Added
References	~~() https://github.com/microweber/microweber -~~	() https://github.com/microweber/microweber - Product
References	~~() https://microweber.me/ -~~	() https://microweber.me/ - Broken Link
References	~~() https://www.exploit-db.com/exploits/52058 -~~	() https://www.exploit-db.com/exploits/52058 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields -~~	() https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields - Third Party Advisory
First Time		Microweber Microweber microweber
CPE		cpe:2.3:a:microweber:microweber:2.0.15:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

11 Dec 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-11 22:15

Updated : 2026-01-12 16:15

NVD link : CVE-2024-58289

Mitre link : CVE-2024-58289

CVE.ORG link : CVE-2024-58289

JSON object : View

Products Affected

microweber

microweber

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-58289", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-11T22:15:49.557", "references": [{"url": "https://github.com/microweber/microweber", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://microweber.me/", "tags": ["Broken Link"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/52058", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/microweber-stored-cross-site-scripting-via-user-profile-fields", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript."}], "lastModified": "2026-01-12T16:15:36.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microweber:microweber:2.0.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "010212D1-D982-4A54-9E43-99A710949DE2"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}