QwikSec

Security Database

CVE

CWE

Training

CVE-2020-28337

Published: Feb 15, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50

x_refsource_MISC

https://sl1nki.page/advisories/CVE-2020-28337

x_refsource_MISC

https://sl1nki.page/blog/2021/02/01/microweber-zip-slip

x_refsource_MISC

http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.