Session Fixation in microweber/microweber


Reported on

Oct 17th 2021


If a user(not admin) already logged in the system and then admin inactivated the user, user remain active until he/she logged into the system.

We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed with commit 3c1d40 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Peter Ivanov
a year ago


Thanks for the report, the issue has been fixed now. Cheers

to join this conversation