Improper Input Validation in microweber/microweber

Valid

Reported on

Feb 17th 2022

Description

There is a lack of input length validation in phone number field at the checkout product where any user may able to add more than 5000+ character which shouldn't be allowed . Our expected result should be only 255 character should be allowed

Steps to Reproduce

  • In the Shop , checkout anyone product
  • Now , In the checkout page we have to enter some details like name , mail id and phone number
  • In the Input field namely First name and phone number were vulnerable to this
  • We can add more than 5000+ character on these field without any length validation

Impact

An attacker would make use of this vulnerability and this leads to

  • Memory corruption
  • Denial of Service

Occurrences

Remediation

We can fix this by implementing a character limit where any user or admin can enter only 255 characters and not more than 255 character on the input field

References

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit 5a5e82 2 years ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Bozhidar
2 years ago

Maintainer

fixed

Nithissh12
2 years ago

Researcher

The CVE wasn't assigned

to join this conversation