CVE-2020-28337

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-28337

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28337.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-28337

Aliases

GHSA-pqcf-v8v5-jmcg

Published

2021-02-15T20:15:12Z

Modified

2025-01-08T10:32:11.272148Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

References

Affected packages

Git / github.com/microweber/microweber

Affected ranges

Type: GIT
Repo: https://github.com/microweber/microweber
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

777ee9c3e7519eb3672c79ac41066175b2001b50

Fixed

777ee9c3e7519eb3672c79ac41066175b2001b50

Affected versions

1.*

1.0.3

1.0.5-fix1

1.0.6

1.0.7

1.0.7-fix1

1.1