cbcvebase.
CVE-2022-1631
published 2022-05-09

CVE-2022-1631: Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no…

PriorityP266high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.77%
94.5th percentile
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain pre-authentication to the victim’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attacker’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employee’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employee’s account.

Affected

3 ranges
VendorProductVersion rangeFixed in
microwebermicroweber< 1.2.151.2.15
microwebermicroweber>= 0 < 1.2.151.2.15
microwebermicroweber_microweber>= unspecified < 1.2.151.2.15

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for account registration attempts using the /register# endpoint, particularly where the registered email matches an existing or targeted user's email address (pre-takeover pattern).
  • Detect OAuth login flows where a social login (Google, Github, Microsoft, Twitter, Linkedin, Telegram, Facebook) succeeds for an email address that already has a locally-registered account — this is the account takeover trigger condition.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.06.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.