Microweber CMS 1.2.15 - Account Takeover

🗓️ 03 Jun 2022 00:00:00Reported by Manojkumar JType

exploitdb🔗 www.exploit-db.com👁 264 Views

Microweber CMS 1.2.15 Account Takeove

Reporter	Title	Published	Views	Family All 18
0day.today	Microweber CMS 1.2.15 - Account Takeover Vulnerability	3 Jun 202200:00	–	zdt
Huntr	Users Account Pre-Takeover or Users Account Takeover.	5 May 202223:57	–	huntr
Huntr	Account Takeover and Persistence due to the Oauth Misconfiguration	12 Feb 202313:07	–	huntr
ATTACKERKB	CVE-2022-1631	9 May 202214:15	–	attackerkb
Circl	CVE-2022-1631	9 May 202218:36	–	circl
CNNVD	Microweber 安全漏洞	9 May 202200:00	–	cnnvd
CVE	CVE-2022-1631	9 May 202214:10	–	cve
Cvelist	CVE-2022-1631 Users Account Pre-Takeover or Users Account Takeover. in microweber/microweber	9 May 202214:10	–	cvelist
EUVD	EUVD-2022-2903	3 Oct 202520:07	–	euvd
Github Security Blog	Incorrect Authorization in microweber	10 May 202200:00	–	github

# Exploit Title: Microweber CMS 1.2.15 - Account Takeover
# Date: 2022-05-09
# Exploit Author: Manojkumar J
# Vendor Homepage: https://github.com/microweber/microweber
# Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15
# Version: <=1.2.15
# Tested on: Windows10
# CVE : CVE-2022-1631

# Description:

Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth
Misconfiguration Leads To Account Takeover.

# Steps to exploit:

1. Create an account with the victim's email address.

Register endpoint: https://target-website.com/register#

2. When the victim tries to login with default Oauth providers like Google,
Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)
with that same e-mail id that we created account before, via this way we
can take over the victim's account with the recently created login
credentials.

03 Jun 2022 00:00Current

8.8High risk

Vulners AI Score8.8

CVSS 26.8

CVSS 3.18.8

CVSS 36.8

EPSS0.11741