Improper Input Validation in microweber/microweber

Valid

Reported on

Feb 17th 2022


Description

There is a lack of input length validation in phone number field at the checkout product where any user may able to add more than 5000+ character which shouldn't be allowed . Our expected result should be only 255 character should be allowed

Steps to Reproduce

  • In the Shop , checkout anyone product
  • Now , In the checkout page we have to enter some details like name , mail id and phone number
  • In the Input field namely First name and phone number were vulnerable to this
  • We can add more than 5000+ character on these field without any length validation

Impact

An attacker would make use of this vulnerability and this leads to

  • Memory corruption
  • Denial of Service

Occurrences

Remediation

We can fix this by implementing a character limit where any user or admin can enter only 255 characters and not more than 255 character on the input field

References

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
Peter Ivanov validated this vulnerability 3 months ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 5a5e82 3 months ago
Peter Ivanov has been awarded the fix bounty
Bozhidar
3 months ago

Maintainer


fixed

Nithissh12
3 months ago

Researcher


The CVE wasn't assigned

to join this conversation