CVE-2022-33012:- Account Takeover Through Password Reset Poisoning

The Vendor

Microweber is a Drag-and-Drop PHP CMS with more than 2.5k stars on Github. It’s based on the PHP Laravel Framework and you can make any kind of website, online store, and blog with it. But like every software on this planet it has vulnerabilities and one of those vulnerabilities is the one I’m disclosing today.

Timeline

07/06/2022 – Found the vulnerability

08/06/2022 – Submitted a CVE request to MITRE

13/06/2022 – CVE record created

28/06/2022 – Got mail from MITRE regarding the CVE ID being allocated

01/07/2022 – Sent first email to vendor mentioning about the vulnerability.

16/07/2022 – Sent second email with a link to the video below.

29/10/2022 – Disclosed the vulnerability after waiting for more than 120 days.

The Vulnerability

The following video does more justice to the title of this post than me writing hundreds of words explaining the vulnerability in detail. For those who couldn’t understand what’s happening in the video, you can read a simple proof of concept here. If you want to learn how this vulnerability would look from a source code review perspective, then you can read this article. As the vendor didn’t respond even after 120 days, I’m not going to show the vulnerable code/function here and will let them find it for themselves. It’s time some people learn to take security more seriously.

Conclusion

I’m starting to feel that security is not taken as seriously in the Open Source community as it should be. This lackadaisical approach of Open Source software vendors towards security of their own software is appalling. Anyways, I’d to do my duty and disclose this vulnerability or this CVE ID would’ve ended being forfeited. As always, thanks for reading and this time… watching!

Peace!