Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. microweber/microweber
  4. ›
  5. CVE-2022-1631

CVE-2022-1631: Incorrect Authorization

May 10, 2022 (updated May 24, 2022)

Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.

References

  • github.com/advisories/GHSA-73rp-q4rx-5grc
  • github.com/microweber/microweber/commit/c162dfffb9bfd264d232aaaf5bb3daee16a3cb38
  • huntr.dev/bounties/5494e258-5c7b-44b4-b443-85cff7ae0ba4
  • nvd.nist.gov/vuln/detail/CVE-2022-1631

Code Behaviors & Features

Detect and mitigate CVE-2022-1631 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.2.15

Fixed versions

  • 1.2.15

Solution

Upgrade to version 1.2.15 or above.

Impact 8.8 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-863: Incorrect Authorization

Source file

packagist/microweber/microweber/CVE-2022-1631.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:41 +0000.