Leaking error content at upload file in microweber/microweber

Valid

Reported on

Jun 8th 2023


Description

1/ Access to demo website and go to https://demo.microweber.org/demo/admin/content/21/edit

2/ There is an upload file function, then upload a file to trigger the error. Moreover, it allows to upload ZIP file (which should not be allowed here)

Proof of Concept

Link PoC: https://drive.google.com/file/d/1e9DS3Q-RGC0HlY_AzcDYCz5W5x9CqtQd/view?usp=sharing

Impact

Attacker can take advantage of it to get information about the application through error content.

We are processing your report and will contact the microweber team within 24 hours. 9 months ago
Peter Ivanov modified the Severity from Medium (4.3) to Low (3.1) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 8 months ago
uonghoangminhchau has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 2.0 with commit f7eb9e 8 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has now been published 3 months ago
to join this conversation