← volver
CVE-2020-28337

CVE-2020-28337

EPSS 16.6%
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Productos afectados
n/a · n/a
PoCs públicas encontradas2
cve_referencepacketstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlno verificadoexploitdbwww.exploit-db.com/exploits/49856no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlhttps://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50https://sl1nki.page/advisories/CVE-2020-28337https://sl1nki.page/blog/2021/02/01/microweber-zip-slip