The microweber application allows large characters to insert in the input field "Coupons" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber
Reported on
Mar 19th 2022
Proof of Concept
1.Go to "Settings" click on "Coupons" and Add a new Coupons
2.Go to this drive link:- https://drive.google.com/file/d/1CcVCHWbvMk07IZ5v4dojrdJbC43_ufhh/view?usp=sharing copy the payload and paste it on the "Code" input field
3.You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
Video PoC
https://drive.google.com/file/d/1c42w4YZNsDzObV79TMCayrXbahmbPNoD/view?usp=sharing
Impact
This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.
Occurrences
@bobimicroweber the CVSS score for this report will be: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H and you have changed it to None as you know the coupon is saved in the database and for this, it will take large space even can lead to memory corruption @admin can you changed the CVSS score and can assign a CVE for this?
We only assign CVEs and adjust the CVSS with maintainer permission 👍