Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Dec 9th 2021


Attacker is able to logout a user if a logged in user visits attacker website.


This vulnerability is capable of forging user to unintentional logout.


Tested on Edge, firefox, chrome and safari.


You should use POST instead of GET (ANY).

To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

"While this cannot harm a users account it can be a great annoyance and is a valid CSRF." As a maintainer of a few Laravel projects myself this is a simple fix. You will see that laravel itself now uses a POST request for logout and not GET. See laravel-ui, laravel-breeze and laravel-jetstream for references. You can also find info on Laracasts forums and laravel issue tracker. There may be cases when this may be used in a multi-stage attack to first log someone out, then prompt them to log in on a spoofed page, thus stealing their credentials

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
We have sent a follow up to the microweber team. We will try again in 7 days. a year ago
We have sent a second follow up to the microweber team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the microweber team. This report is now considered stale. a year ago
Peter Ivanov validated this vulnerability a year ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 756096 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation