Bounties
Partners
Community
Info
microweber / microweber
Project repository
Drag and Drop Website Builder and CMS with E-commerce
Submit a report
FIRST INTERACTION
WITHIN
4 DAYS
REVIEW
WITHIN
11 DAYS
FIX
WITHIN
26 DAYS
Bypass rate limit defense in login feature
Oct 2nd 2023
lengochoa7112000
•
pending
Stored HTML injection
Sep 28th 2023
x3419
•
pending
Persistent Active Session Token in Local Storage After Logout
Sep 10th 2023
sl4x0
•
pending
Stored XSS Vulnerability in Tag Name
Aug 31st 2023
cupc4k3
•
informative
Medium
Reflected XSS in /editor_tools/rte_image_editor
Sep 28th 2023
j0lger
•
Medium
Medium
•
CVE-2023-5244
CVE-2023-5244
Secret information exfiltration by hard coding twitter API keys
Sep 30th 2023
scgajge12
•
Medium
Medium
•
CVE-2023-5318
CVE-2023-5318
Exploiting a Disabled Coupon Functionality Vulnerability
Dec 15th 2023
lujiefsi
•
Medium
Medium
•
CVE-2023-6832
CVE-2023-6832
Leaking error content at upload file
Dec 8th 2023
uonghoangminhchau
•
Low
Low
•
CVE-2023-6599
CVE-2023-6599
user can still comment the unpublish blog
Nov 7th 2023
lujiefsi
•
Medium
Medium
•
CVE-2023-5976
CVE-2023-5976
Unpublish and Deleted product can be checkout
Dec 7th 2023
lujiefsi
•
Medium
Medium
•
CVE-2023-6566
CVE-2023-6566
Cross site scripting on product Adding
May 23rd 2023
ghostbit11
•
informative
Medium
Stored XSS in the module named "Dashboard"
Oct 31st 2023
chucsse
•
Medium
Medium
•
CVE-2023-5861
CVE-2023-5861
Stored XSS on Multiple Edit Page
Jun 7th 2023
tht1997
•
Low
Low
•
CVE-2023-3142
CVE-2023-3142
Unauthenticated Access to Users PII
Apr 22nd 2023
garthhumphreys
•
High
High
•
CVE-2023-2239
CVE-2023-2239
Broken Access Control on "http://localhost/api/user" endpoint
Apr 22nd 2023
cyberneticsplus
•
High
High
•
CVE-2023-2240
CVE-2023-2240
Insufficient Session Expiration for Deleted Admin User Account
Mar 22nd 2023
cyberneticsplus
•
duplicate
Medium
Stored XSS on Settings/Privacy_Policy
Mar 13th 2023
cyberneticsplus
•
informative
High
HTML Injection on Settings/Template
Apr 13th 2023
cyberneticsplus
•
Medium
Medium
•
CVE-2023-2014
CVE-2023-2014
1
Feb 23rd 2023
isdkrisna
•
self closed
tes aaaaaaa
Feb 18th 2023
adelittle
•
self closed
Stored XSS From Visitor to Acc Takeover
Mar 31st 2023
isdkrisna
•
High
High
•
CVE-2023-1881
CVE-2023-1881
Unauthenticated Arbitrary File Read
Feb 23rd 2023
cupc4k3
•
not applicable
RCE by Server Side Template Injection
Mar 31st 2023
cupc4k3
•
Medium
Medium
•
CVE-2023-1877
CVE-2023-1877
Restrictive composer.json makes Dompdf vulnerable to URI validation failure on S...
Mar 31st 2023
martian1337
•
Low
Low
•
CVE-2023-1876
CVE-2023-1876
Stored XSS in the module named "Website settings"
Feb 28th 2023
christynorl
•
Medium
Medium
•
CVE-2023-1081
CVE-2023-1081
File Upload Filter Bypass
Dec 1st 2022
cr4ckc4t
•
Medium
Medium
•
CVE-2022-4732
CVE-2022-4732
Internal path disclosure
Nov 29th 2022
nilabhrajpoot
•
informative
High
xss in live edit
Dec 22nd 2022
a7med-m7moued
•
Medium
Medium
•
CVE-2022-4647
CVE-2022-4647
Post parameter namespaceMD5 is vulnerable to reflected XSS
Nov 8th 2022
krizzsk
•
Low
Low
•
CVE-2022-4617
CVE-2022-4617
Reflected XSS
Oct 24th 2022
0xgad
•
informative
Medium
Cross-site Scripting (XSS) - Reflected in
Oct 24th 2022
ahmed8magdy
•
informative
High
Stored Cross-Site Scripting in add/edit post content
Oct 24th 2022
ar6aaz
•
informative
High
Xss vulnerability in Button module
Feb 1st 2023
christynorl
•
Medium
Medium
•
CVE-2023-0608
CVE-2023-0608
Password Reset Poisoning
Oct 27th 2022
vautia
•
informative
Low
html injection on https://demo.microweber.org/demo/search.php?keywords=
Sep 20th 2022
anupamas0x1
•
Medium
Medium
•
CVE-2022-3242
CVE-2022-3242
HTML Injection vulnerability in create tag functionality
Sep 20th 2022
nithissh200
•
Medium
Medium
•
CVE-2022-3245
CVE-2022-3245
Weak Password Change Mechanism
Sep 5th 2022
7h3h4ckv157
•
informative
Medium
Weak Password Requirements
Sep 5th 2022
7h3h4ckv157
•
informative
Medium
Cross-site Scripting (XSS) - Stored
Aug 29th 2022
a1ise
•
informative
Medium
Stored Cross-Site Scripting (XSS) vulnerability on category name of edit_categor...
Aug 26th 2022
scriptidiot
•
informative
Medium
Cross-site Scripting (XSS) - Stored on Translations
Aug 15th 2022
ahkecha
•
Low
Low
Stored XSS on Categories
Aug 11th 2022
ahkecha
•
Medium
Medium
•
CVE-2022-2777
CVE-2022-2777
Cross-site Scripting (XSS) - Reflected
Jul 18th 2022
kingerbans
•
Low
Low
•
CVE-2022-2470
CVE-2022-2470
Bypass IP detection to brute-force password
Jul 11th 2022
nhienit2010
•
Medium
Medium
•
CVE-2022-2368
CVE-2022-2368
Cross-site scripting - DOM
Jul 8th 2022
nhienit2010
•
Medium
Medium
•
CVE-2022-2353
CVE-2022-2353
Stored XSS via SVG File
Jul 20th 2022
thwinhtetwin
•
Medium
Medium
•
CVE-2022-2495
CVE-2022-2495
Improper handling of parameter lead to listing any directory
Jul 6th 2022
nhienit2010
•
Medium
Medium
Cross-site scripting - Stored via upload ".xlr" file
Jul 4th 2022
nhienit2010
•
Low
Low
Cross-site scripting - Stored via upload ".pages" file
Jul 4th 2022
nhienit2010
•
Medium
Medium
•
CVE-2022-2300
CVE-2022-2300
Bypassing SVG content cleaning lead to Stored XSS
Jul 1st 2022
flex0geek
•
Medium
Medium
•
CVE-2022-2280
CVE-2022-2280
Bypass open redirect protection
Jun 29th 2022
flex0geek
•
Medium
Medium
•
CVE-2022-2252
CVE-2022-2252
CSRF attack while uploading files on [/plupload] via GET request
Jun 27th 2022
flex0geek
•
Low
Low
Unverified Password Change When a User Changes Password
Jun 24th 2022
dievus
•
informative
High
Reflected XSS on /api/module
Jun 22nd 2022
jhond0e
•
Medium
Medium
•
CVE-2022-2174
CVE-2022-2174
Reflected XSS on /editor_tools/module
Jun 20th 2022
jhond0e
•
Medium
Medium
•
CVE-2022-2130
CVE-2022-2130
Path Traversal via Files Manager
Jun 3rd 2022
domiee13
•
Low
Low
UI REDRESSING
May 26th 2022
tharunavula
•
Medium
Medium
Application Level DoS:
May 18th 2022
7h3h4ckv157
•
Low
Low
Blind SSRF with out-of-band
May 17th 2022
jesusmariabermudez
•
informative
High
The microweber application allows large characters to insert in the input field...
May 16th 2022
akshayravic09yc47
•
None
None
Stack Trace error leads to source code/backend sensitive information disclosure
May 13th 2022
akshayravic09yc47
•
not applicable
0 quantity orders are allowed
May 9th 2022
m1m1cat
•
Low
Low
Users Account Pre-Takeover or Users Account Takeover.
May 9th 2022
thewhiteevil
•
Medium
Medium
•
CVE-2022-1631
CVE-2022-1631
DOM XSS in microweber ver 1.2.15
May 3rd 2022
minhnb11
•
High
•
$15
High
•
$15
•
CVE-2022-1555
CVE-2022-1555
Reflected XSS
May 4th 2022
wfinn
•
Medium
Medium
•
CVE-2022-1584
CVE-2022-1584
Cross-site scripting - DOM via view file function
Apr 29th 2022
nhienit2010
•
Low
Low
Reflected XSS in microweber
Apr 29th 2022
minhnb11
•
Low
Low
Cross-site scripting - Stored via upload ".msg" file
Apr 29th 2022
nhienit2010
•
Low
Low
Cross-site scripting - Stored via upload ".cad" file
Apr 28th 2022
nhienit2010
•
Low
Low
Cross-site Request Forgery (CSRF) in login page
Apr 29th 2022
nhienit2010
•
informative
High
Reflect XSS on demo.microweber.org
Apr 28th 2022
minhnb11
•
not applicable
XSS in /demo/module/?module=HERE
Apr 27th 2022
wfinn
•
Medium
Medium
•
CVE-2022-1504
CVE-2022-1504
Reflected XSS on demo.microweber.org/demo/module/
Apr 22nd 2022
wfinn
•
Medium
Medium
•
CVE-2022-1439
CVE-2022-1439
CSRF on update cart functionality
Apr 4th 2022
nithissh200
•
Low
Low
The microweber application allows large characters to insert in the input field...
Mar 21st 2022
sampritdas8
•
None
None
stored xss in uploaded photo checkbox
Mar 21st 2022
keralaboy123
•
Low
Low
Able to create an account with long password leads to memory corruption / Intege...
Mar 21st 2022
nithissh200
•
Medium
Medium
•
CVE-2022-1036
CVE-2022-1036
Path Traversal
Mar 15th 2022
thanhlocstudent
•
Low
Low
The microweber application allows large characters to insert in the input field...
Mar 15th 2022
vishalvishw10
•
None
None
The microweber application allows large characters to insert in the input field...
Mar 15th 2022
akshayravic09yc47
•
None
None
No Rate Limit on Copoun Code Functionality
Mar 15th 2022
itsfading
•
Low
Low
The microweber application allows large characters to insert in the input field...
Mar 14th 2022
akshayravic09yc47
•
High
High
•
CVE-2022-0968
CVE-2022-0968
The microweber application allows large characters to insert in the input field...
Mar 14th 2022
akshayravic09yc47
•
High
•
$1.5
High
•
$1.5
•
CVE-2022-0961
CVE-2022-0961
Unrestricted XML Files Leads to Stored XSS
Mar 14th 2022
thanhlocstudent
•
Medium
Medium
•
CVE-2022-0963
CVE-2022-0963
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Setti...
Mar 14th 2022
scriptidiot
•
Medium
Medium
•
CVE-2022-0954
CVE-2022-0954
File upload filter bypass leading to stored XSS
Mar 11th 2022
scriptidiot
•
High
High
•
CVE-2022-0930
CVE-2022-0930
XSS on dynamic_text module
Mar 11th 2022
rajeshpatil013
•
Medium
Medium
•
CVE-2022-0929
CVE-2022-0929
Unrestricted Upload of File with Dangerous Type
Mar 10th 2022
nhiephon
•
Medium
Medium
•
CVE-2022-0912
CVE-2022-0912
Integer Overflow or Wraparound
Mar 11th 2022
sampritdas8
•
Critical
•
$25
Critical
•
$25
•
CVE-2022-0913
CVE-2022-0913
File upload filter bypass leading to stored XSS
Mar 11th 2022
rajeshpatil013
•
High
•
$15
High
•
$15
•
CVE-2022-0926
CVE-2022-0926
Abusing Backup/Restore feature to achieve Remote Code Execution
Mar 11th 2022
quandqn
•
High
•
$15
High
•
$15
•
CVE-2022-0921
CVE-2022-0921
Cross-site Scripting (XSS) - Stored
Mar 11th 2022
scriptidiot
•
Medium
Medium
•
CVE-2022-0928
CVE-2022-0928
Unrestricted file upload leads to stored XSS
Mar 9th 2022
quandqn
•
Medium
Medium
•
CVE-2022-0906
CVE-2022-0906
Static Code Injection
Mar 9th 2022
crowdoverflow
•
High
•
$1
High
•
$1
•
CVE-2022-0895
CVE-2022-0895
Improper Neutralization of Special Elements Used in a Template Engine
Mar 9th 2022
crowdoverflow
•
High
•
$15
High
•
$15
•
CVE-2022-0896
CVE-2022-0896
Insufficient Granularity of Access Control
Mar 9th 2022
rajeshpatil013
•
Medium
Medium
Weak Password Recovery Mechanism for Forgotten Password
Feb 28th 2022
hdvinnie
•
High
•
$15
High
•
$15
•
CVE-2022-0777
CVE-2022-0777
Business Logic Errors
Feb 25th 2022
tuonggg
•
Medium
Medium
•
CVE-2022-0762
CVE-2022-0762
Cross-site Scripting (XSS) - Stored
Feb 25th 2022
tuonggg
•
Medium
Medium
•
CVE-2022-0763
CVE-2022-0763
Cross-site Scripting (XSS) - Reflected
Feb 22nd 2022
daman-preet-singh
•
High
High
•
CVE-2022-0719
CVE-2022-0719
Insertion of Sensitive Information Into Debugging Code
Feb 22nd 2022
daman-preet-singh
•
High
•
$17
High
•
$17
•
CVE-2022-0721
CVE-2022-0721
Cross-site Scripting (XSS) - Reflected
Feb 25th 2022
daman-preet-singh
•
High
•
$15
High
•
$15
•
CVE-2022-0723
CVE-2022-0723
Insecure Storage of Sensitive Information
Feb 22nd 2022
sampritdas8
•
Critical
•
$25
Critical
•
$25
•
CVE-2022-0724
CVE-2022-0724
Cross-site Scripting (XSS) - Reflected
Feb 19th 2022
daman-preet-singh
•
High
•
$15
High
•
$15
•
CVE-2022-0690
CVE-2022-0690
Uncaught Exception
Feb 19th 2022
daman-preet-singh
•
High
High
Use multiple time the one-time coupon
Feb 19th 2022
am0o0
•
Medium
•
$25
Medium
•
$25
•
CVE-2022-0689
CVE-2022-0689
Business Logic Errors
Feb 19th 2022
nithissh200
•
Critical
•
$25
Critical
•
$25
•
CVE-2022-0688
CVE-2022-0688
Cross-site Scripting (XSS) - Reflected
Feb 18th 2022
p0cas
•
Medium
•
$15
Medium
•
$15
•
CVE-2022-0678
CVE-2022-0678
Improper Input Validation
Feb 17th 2022
nithissh200
•
High
High
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https:...
Feb 17th 2022
yashrk078
•
High
High
•
CVE-2022-0666
CVE-2022-0666
Improper Handling of Length Parameter Inconsistency
Feb 17th 2022
nithissh200
•
High
High
Generation of Error Message Containing Sensitive Information
Feb 17th 2022
0x2374
•
Critical
Critical
•
CVE-2022-0660
CVE-2022-0660
Open Redirect
Feb 14th 2022
kushagrasarathe
•
Medium
Medium
•
CVE-2022-0597
CVE-2022-0597
Business Logic Errors
Feb 14th 2022
dev696
•
Medium
Medium
•
CVE-2022-0596
CVE-2022-0596
Cross-site Scripting (XSS) - Stored
Feb 10th 2022
nithissh200
•
Critical
Critical
•
CVE-2022-0558
CVE-2022-0558
OS Command Injection
Feb 10th 2022
aggressiveuser
•
High
High
•
CVE-2022-0557
CVE-2022-0557
External Control of File Name or Path
Feb 7th 2022
talhakarakumru
•
High
High
Cross-site Scripting (XSS) - Stored
Feb 7th 2022
inweol
•
High
High
•
CVE-2022-0506
CVE-2022-0506
Cross-site Scripting (XSS) - Stored
Jan 26th 2022
nithissh200
•
High
•
$8.5
High
•
$8.5
•
CVE-2022-0379
CVE-2022-0379
Cross-Site Request Forgery (CSRF)
Feb 7th 2022
shubh123-tri
•
Medium
•
$20
Medium
•
$20
•
CVE-2022-0505
CVE-2022-0505
Generation of Error Message Containing Sensitive Information
Feb 7th 2022
shubh123-tri
•
Medium
•
$35
Medium
•
$35
•
CVE-2022-0504
CVE-2022-0504
Exposure of Sensitive Information to an Unauthorized Actor
Jan 19th 2022
r0hansh
•
High
•
$45
High
•
$45
•
CVE-2022-0281
CVE-2022-0281
Improper Access Control
Jan 19th 2022
r0hansh
•
Medium
•
$45
Medium
•
$45
•
CVE-2022-0277
CVE-2022-0277
Cross-site Scripting (XSS) - Stored
Jan 19th 2022
r0hansh
•
High
•
$22.5
High
•
$22.5
•
CVE-2022-0278
CVE-2022-0278
Code Injection
Jan 19th 2022
r0hansh
•
Medium
•
$4.5
Medium
•
$4.5
•
CVE-2022-0282
CVE-2022-0282
Cross-site Scripting (XSS) - Reflected
Jan 26th 2022
r0hansh
•
High
•
$22.5
High
•
$22.5
•
CVE-2022-0378
CVE-2022-0378
Open Redirect
Feb 10th 2022
r0hansh
•
Medium
•
$4.5
Medium
•
$4.5
•
CVE-2022-0560
CVE-2022-0560
Cross-Site Request Forgery (CSRF)
Feb 16th 2022
hdvinnie
•
Medium
•
$22.5
Medium
•
$22.5
•
CVE-2022-0638
CVE-2022-0638
Cross-Site Request Forgery (CSRF)
Feb 17th 2022
am0o0
•
Low
•
$26
Low
•
$26
Business Logic Errors
Oct 27th 2021
haxatron
•
High
•
$40
High
•
$40
Cross-Site Request Forgery (CSRF)
Oct 27th 2021
am0o0
•
Medium
•
$44
Medium
•
$44
Improper Restriction of Power Consumption
Oct 22nd 2021
am0o0
•
Medium
•
$40
Medium
•
$40
Improper Validation of Integrity Check Value
Oct 28th 2021
am0o0
•
Medium
•
$40
Medium
•
$40
Session Fixation
Oct 22nd 2021
am0o0
•
Low
•
$40
Low
•
$40
Cross-Site Request Forgery (CSRF)
Sep 14th 2021
am0o0
•
Medium
•
$31.25
Medium
•
$31.25
Improper Privilege Management
Sep 13th 2021
thelabda
•
Medium
•
$12.5
Medium
•
$12.5
Cross-Site Request Forgery (CSRF)
Sep 13th 2021
am0o0
•
Medium
•
$40
Medium
•
$40
Cross-Site Request Forgery (CSRF)
Aug 10th 2021
am0o0
•
High
•
$20
High
•
$20
Cross-Site Request Forgery (CSRF)
Sep 9th 2021
am0o0
•
Medium
•
$11.25
Medium
•
$11.25
Cross-Site Request Forgery (CSRF)
Aug 10th 2021
am0o0
•
Medium
•
$25
Medium
•
$25
Cross-Site Request Forgery (CSRF)
Feb 17th 2022
am0o0
•
High
•
$25
High
•
$25
Cross-Site Request Forgery (CSRF)
Sep 9th 2021
am0o0
•
High
•
$25
High
•
$25
Cross-Site Request Forgery (CSRF)
Sep 9th 2021
am0o0
•
High
•
$25
High
•
$25
Cross-Site Request Forgery (CSRF)
Sep 9th 2021
effectrenan
•
High
•
$25
High
•
$25
Business Logic Errors
Sep 9th 2021
effectrenan
•
High
•
$25
High
•
$25
Cross-site Scripting (XSS) - Stored
Jul 7th 2021
20kilograma
•
Medium
•
$25
Medium
•
$25
Unrestricted Upload of File with Dangerous Type
Nov 2nd 2021
ready-research
•
High
•
$25
High
•
$25
•
CVE-2020-23138
CVE-2020-23138
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0