# Exploit Title: Microweber CMS 1.2.15 - Account Takeover # Date: 2022-05-09 # Exploit Author: Manojkumar J # Vendor Homepage: https://github.com/microweber/microweber # Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15 # Version: <=1.2.15 # Tested on: Windows10 # CVE : CVE-2022-1631 # Description: Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth Misconfiguration Leads To Account Takeover. # Steps to exploit: 1. Create an account with the victim's email address. Register endpoint: https://target-website.com/register# 2. When the victim tries to login with default Oauth providers like Google, Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login) with that same e-mail id that we created account before, via this way we can take over the victim's account with the recently created login credentials.
Credits and Partners
All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD
