Microweber CMS 1.2.15 – Account Takeover

• Exploit Database
• 14 阅读

• 作者： Manojkumar J
  日期： 2022-06-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50947/

• # Exploit Title: Microweber CMS 1.2.15 - Account Takeover
  # Date: 2022-05-09
  # Exploit Author: Manojkumar J
  # Vendor Homepage: https://github.com/microweber/microweber
  # Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15
  # Version: <=1.2.15
  # Tested on: Windows10
  # CVE : CVE-2022-1631
  
  # Description:
  
  Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth
  Misconfiguration Leads To Account Takeover.
  
  # Steps to exploit:
  
  1. Create an account with the victim's email address.
  
  Register endpoint: https://target-website.com/register#
  
  2. When the victim tries to login with default Oauth providers like Google,
  Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)
  with that same e-mail id that we created account before, via this way we
  can take over the victim's account with the recently created login
  credentials.