user can still comment the unpublish blog in microweber/microweber


Reported on

May 24th 2023

1 admin create blog1(id=1) and blog2(id=2), only publish blog1

2 user1 comment blog1, using burpsuite hijack it

POST /demo/admin/post HTTP/1.1

3 repalce rel_id from 1 to 2, i.e we comment the blog2 which is not publish

4 result shows that we comment sucess.


attacker can comment any blog, even the blog is not publish.

We are processing your report and will contact the microweber team within 24 hours. 6 months ago
We have contacted a member of the microweber team and are waiting to hear back 6 months ago
Peter Ivanov modified the Severity from High (7.6) to Medium (4.6) 6 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 6 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 2.0 with commit bc537e 6 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Nov 7th 2023
Peter Ivanov published this vulnerability a month ago
to join this conversation