Microweber: >> Microweber >> 0.8 Security Vulnerabilities
An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user’s privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic.
CVSS Score
7.2
EPSS Score
0.0
Published
2025-07-02
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
CVSS Score
4.7
EPSS Score
0.003
Published
2025-01-10
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
CVSS Score
6.1
EPSS Score
0.001
Published
2025-01-10
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
CVSS Score
4.7
EPSS Score
0.003
Published
2025-01-10
A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-08-06
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
CVSS Score
6.0
EPSS Score
0.001
Published
2023-12-15
Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.
CVSS Score
3.1
EPSS Score
0.001
Published
2023-12-08
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
CVSS Score
5.9
EPSS Score
0.001
Published
2023-12-07
Improper Access Control in GitHub repository microweber/microweber prior to 2.0.
CVSS Score
4.6
EPSS Score
0.001
Published
2023-11-07
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVSS Score
6.4
EPSS Score
0.001
Published
2023-10-31
Page 1