CVE-2020-28337

HIGH

Microweber < 1.1.20 - Path Traversal

Title source: rule

Description

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Exploits (1)

exploitdb WORKING POC

by sl1nki · pythonwebappsphp

https://www.exploit-db.com/exploits/49856

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html

[Patch, Third Party Advisory] https://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50

[Third Party Advisory] https://sl1nki.page/advisories/CVE-2020-28337

[Exploit, Patch, Third Party Advisory] https://sl1nki.page/blog/2021/02/01/microweber-zip-slip

Scores

CVSS v3 7.2

EPSS 0.1381

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

microweber/microweber < 1.1.20

microweber/microweber 0 - 1.2.3Packagist

Published Feb 15, 2021

Tracked Since Feb 18, 2026