Login Sign Up

CVE-2023-2240

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows improper privilege management in Microweber CMS, enabling attackers to escalate privileges or perform unauthorized actions. It affects all Microweber installations prior to version 1.3.4, potentially compromising website administrators and users.

💻 Affected Systems

Products:
  • Microweber CMS
Versions: All versions prior to 1.3.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Microweber installations regardless of configuration. The vulnerability is in the core CMS code.

📦 What is this software?

Microweber by Microweber

View all CVEs affecting Microweber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to gain administrative access, modify content, steal data, or deploy malware on affected websites.

🟠

Likely Case

Unauthorized privilege escalation allowing attackers to modify website content, access user data, or install malicious plugins/themes.

🟢

If Mitigated

Limited impact with proper access controls, but still presents authentication bypass risks in certain configurations.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available through the huntr.dev bounty program. Attackers need some level of access to exploit the privilege management flaw.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.4

Vendor Advisory: https://github.com/microweber/microweber/commit/f43d5b767ad5814fc5f84bbaf0b77996262f3a4b

Restart Required: No

Instructions:

1. Backup your Microweber installation and database. 2. Update to Microweber version 1.3.4 or later via the admin panel or manual update. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Temporary Access Restriction

all

Restrict administrative access to trusted IP addresses only

# Add to .htaccess for Apache:
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8
# Add to nginx config:
location /admin {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;
}

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Microweber admin interfaces
  • Enable detailed logging and monitoring for privilege escalation attempts and unusual admin activities

🔍 How to Verify

Check if Vulnerable:

Check Microweber version in admin panel or via composer.json file. If version is below 1.3.4, the system is vulnerable.

Check Version:

php artisan --version | grep Microweber

Verify Fix Applied:

Verify version is 1.3.4 or higher in admin panel and test privilege escalation attempts fail.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed privilege escalation attempts
  • Unusual admin user creation/modification
  • Unexpected permission changes

Network Indicators:

  • Unusual traffic patterns to admin endpoints
  • Multiple authentication attempts from single source

SIEM Query:

source="microweber.logs" AND (event="permission_change" OR event="user_privilege_escalation")

📊 Metadata

CVE ID: CVE-2023-2240
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: April 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2240, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)