The microweber application allows large characters to insert in the input field "Email" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in microweber/microweber

Valid

Reported on

May 13th 2022


POC:

  1. Go to home page http://127.0.0.1/ and there will a option to signup with email and phone number with 3 check box
  2. Screenshot: --> https://ibb.co/F3tPVWY
  3. Fill the email parameter with huge characters
  4. when the admin check the notification (http://127.0.0.1/admin/notification) it will be flooded with our payload

Payload:

https://drive.google.com/file/d/1-e-lPMJxO7zBhcZOGKipnqOj3C4ygDGA/view?usp=drivesdk

POC screenshot:

https://ibb.co/R72wybz

POC Video:

https://www.mediafire.com/file/ar3qywsh2hvf6fo/microweber--poc--latest.mov/file

Patch recommendation:

  1. The Email input should be limited to 50 characters or max 100 characters.

Impact

  1. It can leads to DOS
We are processing your report and will contact the microweber team within 24 hours. 2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Bozhidar Slaveykov modified the Severity from High to None 2 years ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability 2 years ago
akshayravic09yc47 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov marked this as fixed in 1.2.16 with commit 4ac2a4 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
Akshay Ravi
2 years ago

Researcher


@admin can you please assign a CVE for this?

Jamie Slome
2 years ago

We do not currently assign CVEs to vulnerabilities with a None severity.

to join this conversation