Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber

Valid

Reported on

Jan 2nd 2022


Description

Any unauthorized/unauthenticated actor can find the PII data of all the users registered in the application. PII - Personally Identifiable Information leaked by this application is first name, last name, email id, picture, username, is_admin status

Proof of Concept

1 Visit

https://demo.microweber.org/demo/api/users/search_authors

It shows you details of all the users

Impact

Attacker can grab this PII data and use it for any malicious purpose.

Occurrences

Only admins should have access to this endpoint

We are processing your report and will contact the microweber team within 24 hours. 5 months ago
Rohan Sharma submitted a
5 months ago
We have contacted a member of the microweber team and are waiting to hear back 5 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the microweber team. We will try again in 10 days. 4 months ago
Bozhidar
4 months ago

Maintainer


its fixed

Bozhidar
4 months ago

Maintainer


https://github.com/microweber/microweber/commit/e680e134a4215c979bfd2eaf58336be34c8fc6e6

Peter Ivanov validated this vulnerability 4 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on e680e1 4 months ago
Peter Ivanov has been awarded the fix bounty
api_user.php#L66-L95 has been validated
to join this conversation