Leaking error content at upload file in microweber/microweber


Reported on

Jun 8th 2023


1/ Access to demo website and go to https://demo.microweber.org/demo/admin/content/21/edit

2/ There is an upload file function, then upload a file to trigger the error. Moreover, it allows to upload ZIP file (which should not be allowed here)

Proof of Concept

Link PoC: https://drive.google.com/file/d/1e9DS3Q-RGC0HlY_AzcDYCz5W5x9CqtQd/view?usp=sharing


Attacker can take advantage of it to get information about the application through error content.

We are processing your report and will contact the microweber team within 24 hours. 9 months ago
Peter Ivanov modified the Severity from Medium (4.3) to Low (3.1) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 8 months ago
uonghoangminhchau has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 2.0 with commit f7eb9e 8 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has now been published 3 months ago
to join this conversation