user can still comment the unpublish blog in microweber/microweber

Valid

Reported on

May 24th 2023

1 admin create blog1(id=1) and blog2(id=2), only publish blog1

2 user1 comment blog1, using burpsuite hijack it

POST /demo/admin/post HTTP/1.1
........
rel_id=1&_token=CagiMKpbls0v5yX00BdrkNvVgo3gInDvXwg86TA9&rel=content&module_id=module-comments-21&comment_body=mycomment4

3 repalce rel_id from 1 to 2, i.e we comment the blog2 which is not publish

4 result shows that we comment sucess.

Impact

attacker can comment any blog, even the blog is not publish.

We are processing your report and will contact the microweber team within 24 hours. 6 months ago

We have contacted a member of the microweber team and are waiting to hear back 6 months ago

Peter Ivanov modified the Severity from High (7.6) to Medium (4.6) 6 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Peter Ivanov validated this vulnerability 6 months ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 2.0 with commit bc537e 6 months ago

Peter Ivanov has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Nov 7th 2023

Peter Ivanov published this vulnerability a month ago

to join this conversation