CVE-2022-1631

Name of the Vulnerable Software and Affected Versions microweber/microweber versions prior to 1.2.15

Description The issue allows an attacker to create an account in the application using a victim's email, as there is no email confirmation. This enables the attacker to gain pre-authentication to the victim's account. Due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. As a result, the attacker's persistence will remain, allowing them to see all activities performed by the victim user, impacting confidentiality, and attempt to modify or corrupt data, affecting integrity and availability. This attack is particularly impactful when an attacker can register an account from an employee's email address, especially in organizations using G-Suite.

Recommendations For microweber/microweber versions prior to 1.2.15, update to version 1.2.15 or later to resolve the issue. As a temporary workaround, consider implementing email confirmation for new accounts and validating email addresses from Social Login to prevent unauthorized account creation. Restrict access to sensitive data and monitor account activity to minimize the risk of exploitation.