CVE-2024-40101: 
PHP vulnerability analysis and mitigation

A Reflected Cross-site scripting (XSS) vulnerability was discovered in Microweber version 2.0.15 and earlier versions, specifically in the '/search' functionality. The vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML through the 'keywords' parameter (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely without requiring privileges, but does require user interaction. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows attackers to inject malicious web scripts or HTML code that could be executed in users' browsers when they access the affected search functionality. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

A patch has been released to address this vulnerability. Users are advised to upgrade to a version newer than 2.0.15. The fix includes improvements to the XSS protection mechanisms and additional security controls as evidenced by the commit that adds extensive lists of not-allowed attributes (GitHub Patch).