Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Users Account Pre-Takeover or Users Account Takeover. in microweber/microweber
Vulnerability Description
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.
CVSS Information
N/A
Vulnerability Type
访问控制不恰当
Vulnerability Title
Microweber 安全漏洞
Vulnerability Description
Microweber是美国Microweber社区的一套可提供拖拽功能的网上商店管理系统。该系统包括添加商品、图片等模块。 Microweber 1.2.15 之前版本存在安全漏洞,该漏洞源于缺乏对来自社交登录的电子邮件的正确验证。攻击者利用该漏洞可以使用受害者的电子邮件轻松地在应用程序中创建一个帐户。
CVSS Information
N/A
Vulnerability Type
N/A