Lucene search

GitHub Advisory DatabaseGHSA-C5GJ-W4HX-GVMX

HistoryFeb 21, 2022 - 12:00 a.m.

Business Logic Errors in microweber

2022-02-2100:00:21

GitHub Advisory Database

github.com

microweber

insecure direct object reference

cart item removal

vulnerability

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.2%

JSON

Microweber prior to 1.2.11 can suffer from insecure direct object reference(s). A malicious actor can remove items from a victim’s cart.

Affected configurations

Vulners

Node

microwebermicroweberRange<1.2.11

VendorProductVersionCPE
microwebermicroweber*cpe:2.3:a:microweber:microweber:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
microweber	microweber	*	cpe:2.3:a:microweber:microweber::::::::

References

github.com/advisories/GHSA-c5gj-w4hx-gvmx

github.com/microweber/microweber/commit/a41f0fddaf08ff12b2b82506b1ca9490c93ab605

huntr.dev/bounties/051ec6d4-0b0a-41bf-9ded-27813037c9c9

nvd.nist.gov/vuln/detail/CVE-2022-0688

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

21.2%

JSON

Related for GHSA-C5GJ-W4HX-GVMX