Unauthenticated Access to Users PII in microweber/microweber


Reported on

Mar 21st 2023


A Unauthorized/Unauthenticated Attacker can access PII data of all the Users.

Some of the PII leaked are: first name, last name, email, username, IP address, two_factor_secret, two_factor_recovery_codes

Proof of Concept


It shows you details of all the users


This also works on the demo site


An Attacker can access the PII data.

We are processing your report and will contact the microweber team within 24 hours. 9 months ago
We have contacted a member of the microweber team and are waiting to hear back 8 months ago
Peter Ivanov modified the Severity from High (8.2) to High (7.1) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 8 months ago
Garth Humphreys has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.4 with commit b0644c 8 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 22nd 2023
Garth Humphreys
8 months ago


Thank you for validating the issue.

Peter Ivanov published this vulnerability 7 months ago
to join this conversation