CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0282 – Cross-site Scripting in microweber/microweber
https://notcve.org/view.php?id=CVE-2022-0282
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11. Una Inyección de Código en Packagist microweber/microweber versiones anteriores a 1.2.11 • https://github.com/microweber/microweber/commit/51b5a4e3ef01e587797c0109159a8ad9d2bac77a https://huntr.dev/bounties/8815b642-bd9b-4737-951b-bde7319faedd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0281 – Exposure of Sensitive Information to an Unauthorized Actor in microweber/microweber
https://notcve.org/view.php?id=CVE-2022-0281
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. Una Exposición de Información Confidencial a un Actor no Autorizado en Packagist microweber/microweber versiones anteriores a 1.2.11 • https://github.com/microweber/microweber/commit/e680e134a4215c979bfd2eaf58336be34c8fc6e6 https://huntr.dev/bounties/315f5ac6-1b5e-4444-ad8f-802371da3505 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0278 – Cross-site Scripting (XSS) - Stored in microweber/microweber
https://notcve.org/view.php?id=CVE-2022-0278
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en Packagist microweber/microweber versiones anteriores a 1.2.11 • https://github.com/microweber/microweber/commit/b64ef574b82dbf89a908e1569d790c7012d1ccd7 https://huntr.dev/bounties/64495d0f-d5ec-4542-9693-32372c18d030 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0277 – Incorrect Permission Assignment for Critical Resource in microweber/microweber
https://notcve.org/view.php?id=CVE-2022-0277
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11. Un Control de Acceso Inapropiado en Packagist microweber/microweber versiones anteriores a 1.2.11 • https://github.com/microweber/microweber/commit/e680e134a4215c979bfd2eaf58336be34c8fc6e6 https://huntr.dev/bounties/0e776f3d-35b1-4a9e-8fe8-91e46c0d6316 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 3CVE-2020-28337 – Microweber CMS 1.1.20 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2020-28337
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file. Un problema de salto de directorio en el módulo Utils/Unzip en Microweber versiones hasta 1.1.20, permite a un atacante autenticado conseguir una ejecución de código remota por medio de la funcionalidad backup restore. Para explotar la vulnerabilidad, un atacante debe tener las credenciales de un usuario administrativo, cargar un archivo ZIP construido maliciosamente con rutas de archivo que incluyan rutas relativas (es decir, ../../), mover este archivo al directorio de copia de seguridad y ejecutar una restaurar en este archivo Microweber CMS versions 1.1.20 and below suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/49856 http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.html https://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50 https://sl1nki.page/advisories/CVE-2020-28337 https://sl1nki.page/blog/2021/02/01/microweber-zip-slip • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •