Open Redirect in microweber/microweber

Valid

Reported on

Jan 2nd 2022


Description

An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites.

Proof of Concept

  1. Visit https://demo.microweber.org/demo/api/logout?redirect_to=https://example.com

It will redirect you to example.com

Impact

Attackers can use it in phishing campaigns and get users visit their malicious sites without realizing it. Attackers can manipulate users in visiting unintended websites.

We are processing your report and will contact the microweber team within 24 hours. 5 months ago
We have contacted a member of the microweber team and are waiting to hear back 5 months ago
We have sent a follow up to the microweber team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the microweber team. We will try again in 10 days. 4 months ago
Bozhidar
4 months ago

Maintainer


https://github.com/microweber/microweber/commit/d2344bbd519f52605daaa520b24a39566deecabf

done!

Rohan Sharma
4 months ago

Researcher


yes, it looks fixed. Can you please validate this bug? there will be a button on the right side on this report. @bobimicroweber

We have sent a third and final follow up to the microweber team. This report is now considered stale. 4 months ago
Peter Ivanov validated this vulnerability 4 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 72d4b1 4 months ago
Peter Ivanov has been awarded the fix bounty
UserManager.php#L258-L277 has been validated
Peter Ivanov
4 months ago

Maintainer


Hi, the correct issue fix commit is https://github.com/microweber/microweber/commit/d2344bbd519f52605daaa520b24a39566deecabf

to join this conversation