CVE-2023-48122: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in microweber version 2.0.1 (fixed in v2.0.4) that allows remote attackers to obtain sensitive information through HTTP GET method. The vulnerability was identified and reported on November 7, 2023, affecting the login functionality of the microweber application (GitHub Issue).

The vulnerability stems from an improper implementation of the login mechanism where sensitive credentials are transmitted via GET request instead of POST request. Specifically, the issue occurs when login credentials are passed through URL parameters during the authentication process. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD).

The vulnerability can lead to account takeover as login credentials are exposed in URL parameters, making them visible in server logs, browser history, and potentially cached by intermediate systems. This exposure significantly increases the risk of credential theft and unauthorized account access (GitHub Issue).

The vulnerability has been fixed in microweber version 2.0.4. Users are advised to upgrade to this version or later. The fix addresses the improper use of GET requests for sensitive information by implementing proper POST request handling for login credentials (NVD).