Insufficient Granularity of Access Control in microweber/microweber


Reported on

Mar 6th 2022


There are no rate limits and reuse of captcha is allowed resulting in reuse of same captcha to issue notifications to administrator

Proof of Concept

Capture the newsletter subscription flow in burp and continue with entering email & captcha until below POST form request is captured. Then use this in burp intruder to issue as many notifications with replay of same captcha.

Sample Request

POST /demo/api/post_form HTTP/1.1 Host: Cookie: laravel_session=kcTjGuBIPY5gQLMzQ7KLvp0cv0EQQz2nfJEcPKAE; csrf-token-data=%7B%22value%22%3A%22SCWkLefQrigbTe92em37PL4qEBKnLg7ZvVewn60f%22%2C%22expiry%22%3A1646569870269%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 137 Origin: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close



This vulnerability is capable of issuing many notifications to administrator

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
rajeshpatil013 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.3 with commit 201290 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
CaptchaValidator.php#L8 has been validated
to join this conversation