CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2CVE-2020-13405
https://notcve.org/view.php?id=CVE-2020-13405
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request. El archivo userfiles/modules/users/controller/controller.php en Microweber versiones anteriores a 1.1.20, permite a un usuario no autenticado divulgar la base de datos de usuarios por medio de una petición POST de /modules/ • https://github.com/mrnazu/CVE-2020-13405 https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6 https://rhinosecuritylabs.com/research/microweber-database-disclosure • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13241
https://notcve.org/view.php?id=CVE-2020-13241
Microweber 1.1.18 allows Unrestricted File Upload because admin/view:modules/load_module:users#edit-user=1 does not verify that the file extension (used with the Add Image option on the Edit User screen) corresponds to an image file. Microweber versión 1.1.18, permite una Carga de Archivos Sin Restricciones porque admin/view:modules/load_module:users#edit-user=1 no comprueba que la extensión del archivo (usada con la opción Add Image en la pantalla Edit User) corresponda a un archivo de imagen. • https://gist.github.com/virendratiwari03/0af29841fdf27207eb3abc8f28d326f3 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2018-19917 – Microweber 1.0.8 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-19917
Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities. Microweber 1.0.8 tiene vulnerabilidades de Cross-Site Scripting (XSS) reflejado. Microweber version 1.0.8 suffers from reflected cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/151005/Microweber-1.0.8-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2019/Jan/12 http://seclists.org/fulldisclosure/2019/Jan/25 https://github.com/microweber/microweber/commits/master https://www.netsparker.com/web-applications-advisories/ns-18-038-reflected-cross-site-scripting-in-microweber • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2018-1000826
https://notcve.org/view.php?id=CVE-2018-1000826
Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code. Microweber, en versiones iguales o anteriores a la 1.0.7, contiene una vulnerabilidad de Cross Site Scripting (XSS) en la plantilla de formularios de inicio de sesión que puede resultar en la ejecución de código JavaScript. • https://0dd.zone/2018/10/28/microweber-XSS https://github.com/microweber/microweber/issues/489 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-17104
https://notcve.org/view.php?id=CVE-2018-17104
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user. Se ha descubierto un problema en Microweber 1.0.7. Hay un ataque Cross-Site Request Forgery (CSRF) (contra el usuario administrador) que puede añadir una cuenta de administrador mediante api save_user. • https://github.com/microweber/microweber/commit/982ea9d5efb7d2306a05644ebc3469dadb33767e https://github.com/microweber/microweber/issues/483 https://github.com/microweber/microweber/issues/484 • CWE-352: Cross-Site Request Forgery (CSRF) •