The microweber application allows large characters to insert in the input field "Email" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in microweber/microweber

Valid

Reported on

May 13th 2022

POC:

  1. Go to home page http://127.0.0.1/ and there will a option to signup with email and phone number with 3 check box
  2. Screenshot: --> https://ibb.co/F3tPVWY
  3. Fill the email parameter with huge characters
  4. when the admin check the notification (http://127.0.0.1/admin/notification) it will be flooded with our payload

Payload:

https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk

POC screenshot:

https://ibb.co/R72wybz

POC Video:

https://www.mediafire.com/file/ar3qywsh2hvf6fo/microweber--poc--latest.mov/file

Patch recommendation:

  1. The Email input should be limited to 50 characters or max 100 characters.

Impact

  1. It can leads to DOS
We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Bozhidar Slaveykov modified the Severity from High to None a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability a month ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov confirmed that a fix has been merged on 4ac2a4 a month ago
Bozhidar Slaveykov has been awarded the fix bounty
Akshay Ravi
a month ago

Researcher

@admin can you please assign a CVE for this?

Jamie Slome
a month ago

Admin

We do not currently assign CVEs to vulnerabilities with a None severity.

to join this conversation