Open Redirect in microweber/microweber

Valid

Reported on

Jan 2nd 2022

Description

An Open Redirect vulnerability enables attacker to redirect the victims/users to malicious websites.

Proof of Concept

  1. Visit https://demo.microweber.org/demo/api/logout?redirect_to=https://example.com

It will redirect you to example.com

Impact

Attackers can use it in phishing campaigns and get users visit their malicious sites without realizing it. Attackers can manipulate users in visiting unintended websites.

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
We have sent a follow up to the microweber team. We will try again in 7 days. a year ago
We have sent a second follow up to the microweber team. We will try again in 10 days. a year ago
Bozhidar
a year ago

Maintainer

https://github.com/microweber/microweber/commit/d2344bbd519f52605daaa520b24a39566deecabf

done!

Rohan Sharma
a year ago

Researcher

yes, it looks fixed. Can you please validate this bug? there will be a button on the right side on this report. @bobimicroweber

We have sent a third and final follow up to the microweber team. This report is now considered stale. a year ago
Peter Ivanov validated this vulnerability a year ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 72d4b1 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
UserManager.php#L258-L277 has been validated
Peter Ivanov
a year ago

Maintainer

Hi, the correct issue fix commit is https://github.com/microweber/microweber/commit/d2344bbd519f52605daaa520b24a39566deecabf

to join this conversation