CVE-2022-1631
published 2022-05-09CVE-2022-1631: Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no…
PriorityP266high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.77%
94.5th percentile
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | < 1.2.15 | 1.2.15 |
| microweber | microweber | >= 0 < 1.2.15 | 1.2.15 |
| microweber | microweber_microweber | >= unspecified < 1.2.15 | 1.2.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for account registration attempts using the /register# endpoint, particularly where the registered email matches an existing or targeted user's email address (pre-takeover pattern). ↗
- →Detect OAuth login flows where a social login (Google, Github, Microsoft, Twitter, Linkedin, Telegram, Facebook) succeeds for an email address that already has a locally-registered account — this is the account takeover trigger condition. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.06.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect Authorization in microweber
osv·2022-05-10
CVE-2022-1631 [HIGH] Incorrect Authorization in microweber
Incorrect Authorization in microweber
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and
GHSA
Incorrect Authorization in microweber
ghsa·2022-05-10
CVE-2022-1631 [HIGH] CWE-284 Incorrect Authorization in microweber
Incorrect Authorization in microweber
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and
CISA
Juniper Junos OS Path Traversal Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2020-1631 [HIGH] CWE-22 Juniper Junos OS Path Traversal Vulnerability
Vulnerability: Juniper Junos OS Path Traversal Vulnerability
Affected: Juniper Junos OS
A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1631
Remediation Due Date: 2022-04-15
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167376/Microweber-CMS-1.2.15-Account-Takeover.htmlhttps://github.com/microweber/microweber/commit/c162dfffb9bfd264d232aaaf5bb3daee16a3cb38https://huntr.dev/bounties/5494e258-5c7b-44b4-b443-85cff7ae0ba4http://packetstormsecurity.com/files/167376/Microweber-CMS-1.2.15-Account-Takeover.htmlhttps://github.com/microweber/microweber/commit/c162dfffb9bfd264d232aaaf5bb3daee16a3cb38https://huntr.dev/bounties/5494e258-5c7b-44b4-b443-85cff7ae0ba4
2022-05-09
Published