Miggo Logo

CVE-2022-0777: Rate limit missing in microweber

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.64299%
Published
3/2/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
microweber/microwebercomposer< 1.31.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing rate limiting on password reset endpoints. The patch adds 'throttle:3,1' middleware to both web and API routes pointing to UserForgotPasswordController@send. Before the fix, these routes lacked any request throttling, making them vulnerable to password reset email spam and account enumeration attacks. The controller method itself isn't inherently vulnerable, but the absence of rate-limiting middleware in the route definitions created the weakness (CWE-640). High confidence as the commit directly addresses these routes by adding throttling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*row***r prior to v*rsion *.* *o*s not r*t* limit p*sswor* r*s*t *m*ils.

Reasoning

T** vuln*r**ility st*ms *rom missin* r*t* limitin* on p*sswor* r*s*t *n*points. T** p*t** ***s 't*rottl*:*,*' mi**l*w*r* to *ot* w** *n* *PI rout*s pointin* to `Us*r*or*otP*sswor**ontroll*r@s*n*`. ***or* t** *ix, t**s* rout*s l**k** *ny r*qu*st t*rot