Miggo Logo
Miggo Vulnerability Database
CVE-2020-13405

CVE-2020-13405: Microweber Discloses Sensitive Information

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-13405
GHSA ID
GHSA-pmxg-w9c7-ffmq
EPSS Score
0.96116%
CWE
CWE-200
Published
5/24/2022
Updated
8/22/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.1.201.1.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is caused by the exposure of the User::all() method, which retrieves all user data, through a POST request to /modules/. The patch removes the vulnerable code, indicating that User::all() is the key vulnerable function. The exact namespace of User might vary, but in a typical Laravel setup, it would be App\Models\User.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`us*r*il*s/mo*ul*s/us*rs/*ontroll*r/*ontroll*r.p*p` in Mi*row***r ***or* *.*.** *llows *n un*ut**nti**t** us*r to *is*los* t** us*rs **t***s* vi* * `/mo*ul*s/ POST` r*qu*st.

Reasoning

T** vuln*r**ility is **us** *y t** *xposur* o* t** `Us*r::*ll()` m*t*o*, w*i** r*tri*v*s *ll us*r **t*, t*rou** * POST r*qu*st to /mo*ul*s/. T** p*t** r*mov*s t** vuln*r**l* *o**, in*i**tin* t**t `Us*r::*ll()` is t** k*y vuln*r**l* *un*tion. T** *x**