CVE-2022-0777: Rate limit missing in microweber
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64299%
CWE
Published
3/2/2022
Updated
2/3/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
microweber/microweber | composer | < 1.3 | 1.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing rate limiting on password reset endpoints. The patch adds 'throttle:3,1' middleware to both web and API routes pointing to UserForgotPasswordController@send
. Before the fix, these routes lacked any request throttling, making them vulnerable to password reset email spam and account enumeration attacks. The controller method itself isn't inherently vulnerable, but the absence of rate-limiting middleware in the route definitions created the weakness (CWE-640). High confidence as the commit directly addresses these routes by adding throttling.