← voltar
CVE-2020-28337

CVE-2020-28337

EPSS 16.6%
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Produtos afetados
n/a · n/a
PoCs públicas encontradas2
cve_referencepacketstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlnão verificadoexploitdbwww.exploit-db.com/exploits/49856não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlhttps://github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50https://sl1nki.page/advisories/CVE-2020-28337https://sl1nki.page/blog/2021/02/01/microweber-zip-slip