The microweber application allows large characters to insert in the input field "SKU" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber
Reported on
Mar 14th 2022
Go to add post http://site.com/admin/product/create click on create new product There will a option called SKU Fill the input field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos
Download the payload from here: https://drive.google.com/file/d/1mQ_RMqcWiKuzRL_sQ0LfeKCboOd3WcYP/view?usp=sharing
Video & Image POC: https://drive.google.com/drive/folders/1Y4prHy4EWlJBaleOAyeN82lQeb4JaAca?usp=sharing
Patch recommendation: The post title input should be limited to 500 characters or max 1000 characters. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25062 .
Awesome, Thanks, Hi @admin , could i request a cve for this bug?
Before we proceed with a CVE, we just need to confirm that the maintainer is happy to proceed as well.
@maintainer, are you happy to assign and publish a CVE for this report?
@admin As the fix has been deployed can you assign and publish a CVE for this report?
@vishalvishw10 - as this report has a severity of None, I think it assigning and publishing a CVE for this report is unwarranted.
@admin I don't think my report severity is none because some one has reported same vulnerability in different end but he got his cve please check https://huntr.dev/bounties/cdf00e14-38a7-4b6b-9bb4-3a71bf24e436/
Ultimately it is up to the maintainer what they perceive the severity to be, as we generally do not take a position on this.
We believe that the maintainer is best placed to understand this 👍