Headline
CVE-2023-48122: Account Takeover through Login/Redirect · Issue #1042 · microweber/microweber
An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.
Description
Login credentials should be posted only via POST request but get sent via GET request.
Proof of Concept
https://demo.microweber.org/v2/api/user_login?username=admin&password=password&http_redirect=1&where_to=admin_content
Impact
Attacker will get credentials through traffic as they are passed in GET request
Remediation
I think the problem is with the redirect after login. I am not a programmer but maybe issue is related to this code
<?php if (isset($_GET['redirect'])): ?>
<input type="hidden" value="<?php echo mw()->format->clean_xss($_GET['redirect']); ?>" name="redirect">
<?php endif; ?>
Reference
https://cwe.mitre.org/data/definitions/598.html - Use of GET Request Method With Sensitive Query Strings
CVSS Score
Request
It would be great if it is possible to assign a CVE as huntr dev is not accepting reports to your repo.
Related news
An issue present in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.