The microweber application allows large characters to insert in the input field "Leave comment" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in microweber/microweber in microweber/microweber


Reported on

Mar 14th 2022

Proof of Concept

  1. Go to http://site/admin/view:content/action:posts
  2. Create a page and enable to add comment option
  3. Go to that page and there will a option called "Leave a comment"
  4. Copy the below payload and put it in the "Leave a comment" field post a comment
  5. Go to http://site/admin/view:modules/load_module:comments and check the comment view section, it will be flooded
  6. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

Download the payload from here:

Video & Image POC:

Patch recemmondation:

The Leave a comment input should be limited to 500 characters or max 1000 characters.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
Bozhidar Slaveykov modified the report
2 years ago
Bozhidar Slaveykov modified the report
2 years ago
Bozhidar Slaveykov validated this vulnerability 2 years ago
akshayravic09yc47 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 7065bf 2 years ago
Bozhidar Slaveykov has been awarded the fix bounty
Akshay Ravi
2 years ago


Hey any update about CVE assign?

to join this conversation