Published: 15/02/2021 Updated: 01/01/2022

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

A directory traversal issue in the Utils/Unzip module in Microweber up to and including 1.1.20 allows an authenticated malicious user to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Vulnerable Product	Search on Vulmon	Subscribe to Product
microweber microweber

Microweber CMS versions 1120 and below suffer from a remote code execution vulnerability ...

CWE-22 https://sl1nki.page/advisories/CVE-2020-28337 https://sl1nki.page/blog/2021/02/01/microweber-zip-slip https://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50 http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html https://nvd.nist.gov https://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-28337

Vulnerability Summary

Vulnerability Trend

Exploits

References

Vulmon Search

About

Products

Connect