Weak Password Recovery Mechanism for Forgotten Password in microweber/microweber
Feb 25th 2022
There is no rate limit sent unlimited email victim or any email address.
Proof of Concept:
There is no rate limit return-password , attacker to send unlimited email to victim or any email address.
Attacker can sent unlimited email to any mail address .
Add 'throttle' => 60, to auth.php config or $this->middleware('throttle:3,1') to the forgot password controller construct.
Bozhidar Slaveykov validated this vulnerability a year ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.3 with commit a3944c a year ago
This vulnerability will not receive a CVE
to join this conversation