Insertion of Sensitive Information Into Debugging Code in microweber/microweber

Valid

Reported on

Feb 20th 2022

Description

Laravel debug mode exposes sensitive data, eg: internal source codes, stack traces, sql queries, databases names, tables names, user's cookies, email, phone number, username, laravel version, php version, etc

Proof of Concept

  1. Login into http://demo.microweber.org
  2. Navigate to this endpoint(including single quote at the end): http://demo.microweber.org/demo/admin/category/create'
  3. you will see all the exposed information.

Impact

Server running in debug mode, exposing sensitive information about server and user.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
Damanpreet has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.3 with commit b12e1a a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation