CVE-2022-2368
published 2022-07-11CVE-2022-2368: Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
PriorityP347critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
55.8th percentile
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | < 1.2.20 | 1.2.20 |
| microweber | microweber | >= 0 < 1.2.21 | 1.2.21 |
| microweber | microweber_microweber | >= unspecified < 1.2.20 | 1.2.20 |
| msrc | azl3_xdg-utils_1.2.1-3_on_azure_linux_3.0 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
osv·2022-07-12
CVE-2022-2368 [MEDIUM] Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
In the login API, an IP address will by default be blocked when the user tries to login incorrectly more than 5 times. However, a bypass to this mechanism is possible by abusing a X-Forwarded-For header to bypass IP detection and perform a password brute-force. A patch for this issue is available in Microweber version 1.2.21.
GHSA
Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
ghsa·2022-07-12
CVE-2022-2368 [MEDIUM] CWE-290 Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
In the login API, an IP address will by default be blocked when the user tries to login incorrectly more than 5 times. However, a bypass to this mechanism is possible by abusing a X-Forwarded-For header to bypass IP detection and perform a password brute-force. A patch for this issue is available in Microweber version 1.2.21.
Microsoft
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An atta
vendor_msrc·2022-11-08·CVSS 7.4
CVE-2022-4055 [HIGH] CWE-146 When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An atta
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in Oct
Red Hat
xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments
vendor_redhat·2022-08-03·CVSS 7.4
CVE-2022-4055 [HIGH] xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments
xdg-utils: improper parse of mailto URIs allows bypass of Thunderbird security mechanism for attachments
When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.
Statement: To exploit this flaw, an attacker would need to convince a user to click on a specially crafted mailto URL. Additionally, the user must have the Thunderbird email client installed and xdg-mail configured to use Thunderbird to handle mailto URLs. Therefore, this vulnerability is rated as moderate rather than important because it requires user interaction and spe
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/microweber/microweber/commit/53c000ccd5602536e28b15d9630eb8261b04a302https://huntr.dev/bounties/a9595eda-a5e0-4717-8d64-b445ef83f452https://github.com/microweber/microweber/commit/53c000ccd5602536e28b15d9630eb8261b04a302https://huntr.dev/bounties/a9595eda-a5e0-4717-8d64-b445ef83f452
2022-07-11
Published