Improper Input Validation in microweber/microweber

Valid

Reported on

Feb 17th 2022

Description

There is a lack of input length validation in phone number field at the checkout product where any user may able to add more than 5000+ character which shouldn't be allowed . Our expected result should be only 255 character should be allowed

Steps to Reproduce

  • In the Shop , checkout anyone product
  • Now , In the checkout page we have to enter some details like name , mail id and phone number
  • In the Input field namely First name and phone number were vulnerable to this
  • We can add more than 5000+ character on these field without any length validation

Impact

An attacker would make use of this vulnerability and this leads to

  • Memory corruption
  • Denial of Service

Occurrences

Remediation

We can fix this by implementing a character limit where any user or admin can enter only 255 characters and not more than 255 character on the input field

References

We are processing your report and will contact the microweber team within 24 hours. a year ago
Peter Ivanov validated this vulnerability a year ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 5a5e82 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Bozhidar
a year ago

fixed

Nithissh12
a year ago

Researcher

The CVE wasn't assigned

to join this conversation