111 matches found
CVE-2022-2300
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
CVE-2022-4647
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-2495
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
CVE-2022-0698
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.
CVE-2022-1439
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
CVE-2022-2280
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
CVE-2022-2470
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
CVE-2022-0277
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0278
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2023-1081
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2022-0282
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-3242
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-2353
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
CVE-2022-0505
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0506
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-3245
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
CVE-2022-2777
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
CVE-2022-33012
Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.
CVE-2023-0608
Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-0379
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2021-32856
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted i...
CVE-2021-33988
Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form.
CVE-2022-4732
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2014-9464
SQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute arbitrary SQL commands via the category parameter when displaying a category, related to the $parent_id variable.
CVE-2023-2014
Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-48122
An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.
CVE-2023-49052
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
CVE-2023-5244
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-3142
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2024-33299
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
CVE-2023-2240
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
CVE-2025-2214
A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. ...
CVE-2024-33297
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
CVE-2024-33298
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
CVE-2021-36461
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.
CVE-2023-2239
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.
CVE-2023-47379
Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.
CVE-2023-1881
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-5976
Improper Access Control in GitHub repository microweber/microweber prior to 2.0.
CVE-2020-23139
Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.
CVE-2021-32857
Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.
CVE-2013-5984
Directory traversal vulnerability in userfiles/modules/admin/backup/delete.php in Microweber before 0.830 allows remote attackers to delete arbitrary files via a .. (dot dot) in the file parameter.
CVE-2018-1000826
Microweber version
CVE-2018-19917
Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.
CVE-2020-23138
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.
CVE-2023-5861
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2020-23140
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.
CVE-2023-6599
Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.
CVE-2018-17104
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.
CVE-2020-13241
Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User screen) corresponds to an image file.