CVE-2022-2368

Name of the Vulnerable Software and Affected Versions microweber/microweber versions prior to 1.2.20

Description The issue allows for authentication bypass by spoofing, potentially enabling unauthorized access. It is related to business logic errors in the login mechanism. Specifically, the login API blocks an IP address after more than 5 incorrect login attempts, but this can be bypassed by manipulating the X-Forwarded-For header, allowing for password brute-force attacks.

Recommendations For versions prior to 1.2.20, update to version 1.2.21 or later to resolve the issue. As a temporary workaround, consider restricting access to the login API to minimize the risk of exploitation. Avoid using the X-Forwarded-For header in the login API until the issue is resolved.