Microweber Security Vulnerabilities
Directory traversal vulnerability in userfiles/modules/admin/backup/delete.php in Microweber before 0.830 allows remote attackers to delete arbitrary files via a .. (dot dot) in the file parameter.
6.8AI Score
0.004EPSS
SQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute arbitrary SQL commands via the category parameter when displaying a category, related to the $parent_id variable.
8.4AI Score
0.001EPSS
Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code.
6.1CVSS
6AI Score
0.002EPSS
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.
8.8CVSS
8.7AI Score
0.003EPSS
6.1CVSS
6.1AI Score
0.017EPSS
Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User screen) corresponds to an image file.
7.8CVSS
7.5AI Score
0.001EPSS
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.
7.5CVSS
7.3AI Score
0.009EPSS
5.5CVSS
5.5AI Score
0.0004EPSS
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.
9.8CVSS
9.5AI Score
0.002EPSS
Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.
5.5CVSS
5.5AI Score
0.0004EPSS
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.
8.1CVSS
8AI Score
0.002EPSS
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously const...
7.2CVSS
7.3AI Score
0.049EPSS
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted i...
6.1CVSS
5.8AI Score
0.001EPSS
Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
6.1CVSS
5.9AI Score
0.001EPSS
Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form.
6.1CVSS
6.2AI Score
0.001EPSS
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.
8.8CVSS
8.5AI Score
0.001EPSS
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
6.5CVSS
6.3AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4CVSS
5.1AI Score
0.001EPSS
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
7.5CVSS
7.3AI Score
0.005EPSS
7.5CVSS
7.2AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
5.4CVSS
5.1AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4CVSS
5.1AI Score
0.001EPSS
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
6.5CVSS
6.2AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
6.5CVSS
6.4AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4CVSS
5.1AI Score
0.001EPSS
7.2CVSS
6.9AI Score
0.041EPSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
5.4CVSS
5.1AI Score
0.001EPSS
6.1CVSS
6.1AI Score
0.001EPSS
Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.
4.3CVSS
4.5AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
4.3CVSS
4.6AI Score
0.001EPSS
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
7.5CVSS
7.3AI Score
0.007EPSS
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
7.5CVSS
7.5AI Score
0.032EPSS
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
6.1CVSS
5.9AI Score
0.001EPSS
4.9CVSS
4.9AI Score
0.001EPSS
Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.
5.3CVSS
5.1AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
6.1CVSS
5.9AI Score
0.001EPSS
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.
6.1CVSS
6AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
5.4CVSS
5.3AI Score
0.001EPSS
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
6.5CVSS
6.4AI Score
0.001EPSS
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.
5.4CVSS
5.2AI Score
0.001EPSS
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
6.5CVSS
6.3AI Score
0.001EPSS
5.5CVSS
4.5AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
4.8CVSS
4.8AI Score
0.001EPSS
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
7.5CVSS
7.5AI Score
0.001EPSS
Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4.
6.1CVSS
6.2AI Score
0.001EPSS
9.8CVSS
9.6AI Score
0.002EPSS
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
8.8CVSS
8.6AI Score
0.003EPSS
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.
4.8CVSS
4.8AI Score
0.001EPSS
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.
4.8CVSS
5AI Score
0.001EPSS