CVE-2022-1439: 
PHP vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Microweber prior to version 1.2.15, specifically affecting the demo.microweber.org/demo/module/ path. The vulnerability was assigned CVE-2022-1439 and was disclosed in April 2022 (NVD, CVE).

The vulnerability allows execution of arbitrary JavaScript code as the attacked user. The issue received a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). User interaction might be required, specifically pressing the "tab" key, although there might be payloads that can execute without user interaction (NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of the attacked user's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

The vulnerability was patched in Microweber version 1.2.15. The fix includes additional input sanitization, specifically replacing '<' and '>' characters with '-' and implementing XSS cleaning on both keys and values of request data (GitHub Patch).