Microweber CMS 1.2.15 Account Takeover

2022.06.04
Credit: Manojkumar J
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Microweber CMS 1.2.15 - Account Takeover # Date: 2022-05-09 # Exploit Author: Manojkumar J # Vendor Homepage: https://github.com/microweber/microweber # Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15 # Version: <=1.2.15 # Tested on: Windows10 # CVE : CVE-2022-1631 # Description: Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth Misconfiguration Leads To Account Takeover. # Steps to exploit: 1. Create an account with the victim's email address. Register endpoint: https://target-website.com/register# 2. When the victim tries to login with default Oauth providers like Google, Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login) with that same e-mail id that we created account before, via this way we can take over the victim's account with the recently created login credentials.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top