Microweber
By the Year
In 2024 there have been 0 vulnerabilities in Microweber . Last year Microweber had 19 security vulnerabilities published. Right now, Microweber is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 19 | 6.13 |
2022 | 66 | 6.21 |
2021 | 2 | 6.65 |
2020 | 5 | 7.28 |
2019 | 1 | 6.10 |
2018 | 2 | 7.45 |
It may take a day or so for new Microweber vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microweber Security Vulnerabilities
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-6832
4.3 - Medium
- December 15, 2023
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
Business Logic Errors
An issue in microweber v.2.0.1 and fixed in v.2.0.4
CVE-2023-48122
7.5 - High
- December 08, 2023
An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.
Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-6599
4.3 - Medium
- December 08, 2023
Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.
Improper Handling of Exceptional Conditions
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-6566
6.5 - Medium
- December 07, 2023
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
File Upload vulnerability in Microweber v.2.0.4
CVE-2023-49052
8.8 - High
- November 30, 2023
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
Unrestricted File Upload
Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS)
CVE-2023-47379
5.4 - Medium
- November 08, 2023
Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.
XSS
Improper Access Control in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-5976
4.3 - Medium
- November 07, 2023
Improper Access Control in GitHub repository microweber/microweber prior to 2.0.
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-5861
4.8 - Medium
- October 31, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
XSS
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-5318
7.5 - High
- September 30, 2023
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
Use of Hard-coded Credentials
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-5244
6.1 - Medium
- September 28, 2023
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.
XSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-3142
5.4 - Medium
- June 07, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
XSS
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.
CVE-2023-2239
6.5 - Medium
- April 22, 2023
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.
Privacy violation
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
CVE-2023-2240
8.8 - High
- April 22, 2023
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
Improper Privilege Management
Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-2014
4.8 - Medium
- April 13, 2023
Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.
XSS
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-1877
9.8 - Critical
- April 05, 2023
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
Command Injection
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-1881
5.4 - Medium
- April 05, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
XSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
CVE-2023-1081
4.8 - Medium
- February 28, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.
XSS
Microweber is a drag and drop website builder and content management system
CVE-2021-32856
6.1 - Medium
- February 21, 2023
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted in versions 1.2.9 and 1.2.12, but it is incomplete.
XSS
Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2023-0608
5.4 - Medium
- February 01, 2023
Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.
XSS
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-4732
7.2 - High
- December 27, 2022
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
Unrestricted File Upload
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-4647
6.1 - Medium
- December 22, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.
XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-4617
6.1 - Medium
- December 21, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.
XSS
Microweber version 1.3.1
CVE-2022-0698
6.1 - Medium
- November 25, 2022
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.
XSS
Microweber v1.2.15 was discovered to
CVE-2022-33012
8.8 - High
- November 22, 2022
Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.
Injection
HTML injection attack is closely related to Cross-site Scripting (XSS)
CVE-2022-3245
6.1 - Medium
- September 20, 2022
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
XSS
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
CVE-2022-3242
6.1 - Medium
- September 20, 2022
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
XSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
CVE-2022-2777
5.4 - Medium
- August 11, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.
XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
CVE-2022-2470
6.1 - Medium
- July 22, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
XSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
CVE-2022-2495
4.8 - Medium
- July 22, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.
XSS
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3
CVE-2021-36461
8.8 - High
- July 15, 2022
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.
Unrestricted File Upload
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
CVE-2022-2368
9.8 - Critical
- July 11, 2022
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
Authentication Bypass by Spoofing
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents
CVE-2022-2353
6.1 - Medium
- July 09, 2022
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
Session Riding
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
CVE-2022-2300
5.4 - Medium
- July 04, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
XSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
CVE-2022-2280
5.4 - Medium
- July 01, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
XSS
Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.
CVE-2022-2252
6.1 - Medium
- June 29, 2022
Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.
Open Redirect
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
CVE-2022-2174
6.1 - Medium
- June 22, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.
CVE-2022-2130
6.1 - Medium
- June 20, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.
XSS
Users Account Pre-Takeover or Users Account Takeover
CVE-2022-1631
8.8 - High
- May 09, 2022
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victims Email. This allows an attacker to gain pre-authentication to the victims account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attackers persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employees email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employees account.
AuthZ
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16
CVE-2022-1584
6.1 - Medium
- May 04, 2022
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim
XSS
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16
CVE-2022-1555
6.1 - Medium
- May 04, 2022
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...
XSS
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15
CVE-2022-1504
6.1 - Medium
- April 27, 2022
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
XSS
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15
CVE-2022-1439
6.1 - Medium
- April 22, 2022
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
XSS
Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-1036
7.5 - High
- March 22, 2022
Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.
Integer Overflow or Wraparound
Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0963
5.4 - Medium
- March 15, 2022
Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
XSS
The microweber application
CVE-2022-0968
5.5 - Medium
- March 15, 2022
The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in GitHub repository microweber/microweber prior to 1.2.12.
Integer Overflow or Wraparound
The microweber application
CVE-2022-0961
5.5 - Medium
- March 15, 2022
The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in GitHub repository microweber/microweber prior to 1.2.12.
Integer Overflow or Wraparound
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings
CVE-2022-0954
5.4 - Medium
- March 15, 2022
Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.
XSS
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0930
4.8 - Medium
- March 12, 2022
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
XSS
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.
CVE-2022-0929
6.1 - Medium
- March 12, 2022
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.
XSS
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0926
4.8 - Medium
- March 12, 2022
File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
XSS
Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0921
6.7 - Medium
- March 11, 2022
Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
Unrestricted File Upload
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.
CVE-2022-0928
5.4 - Medium
- March 11, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.
XSS
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.
CVE-2022-0912
4.8 - Medium
- March 11, 2022
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.
Unrestricted File Upload
Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0913
7.5 - High
- March 11, 2022
Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.
Integer Overflow or Wraparound
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.
CVE-2022-0906
4.8 - Medium
- March 10, 2022
Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.
XSS
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0895
9.8 - Critical
- March 10, 2022
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0896
8.8 - High
- March 09, 2022
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
Code Injection
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0777
7.5 - High
- March 01, 2022
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
Weak Password Recovery Mechanism for Forgotten Password
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.
CVE-2022-0723
5.4 - Medium
- February 26, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.
XSS
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0763
4.8 - Medium
- February 26, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.
XSS
Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0762
4.3 - Medium
- February 26, 2022
Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.
AuthZ
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0719
5.4 - Medium
- February 23, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.
XSS
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0721
6.5 - Medium
- February 23, 2022
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
CVE-2022-0724
6.5 - Medium
- February 23, 2022
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
Insecure Storage of Sensitive Information
Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0688
4.9 - Medium
- February 20, 2022
Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0690
6.1 - Medium
- February 19, 2022
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
XSS
Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0689
5.3 - Medium
- February 19, 2022
Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0678
6.1 - Medium
- February 19, 2022
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
XSS
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0666
7.5 - High
- February 18, 2022
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
CRLF Injection
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0660
7.5 - High
- February 18, 2022
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
Generation of Error Message Containing Sensitive Information
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0638
4.3 - Medium
- February 17, 2022
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
Session Riding
Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0596
4.3 - Medium
- February 15, 2022
Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.
Improper Validation of Specified Quantity in Input
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0597
6.1 - Medium
- February 15, 2022
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
Open Redirect
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0560
6.1 - Medium
- February 11, 2022
Open Redirect in Packagist microweber/microweber prior to 1.2.11.
Open Redirect
OS Command Injection in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0557
7.2 - High
- February 11, 2022
OS Command Injection in Packagist microweber/microweber prior to 1.2.11.
Shell injection
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0558
5.4 - Medium
- February 10, 2022
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
XSS
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0505
6.5 - Medium
- February 08, 2022
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
Session Riding
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0506
5.4 - Medium
- February 08, 2022
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
XSS
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0504
6.5 - Medium
- February 08, 2022
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
Generation of Error Message Containing Sensitive Information
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0378
5.4 - Medium
- January 26, 2022
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
XSS
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0379
5.4 - Medium
- January 26, 2022
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
XSS
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0282
7.5 - High
- January 20, 2022
Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.
XSS
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0281
7.5 - High
- January 20, 2022
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
Information Disclosure
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0277
6.5 - Medium
- January 20, 2022
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
Incorrect Permission Assignment for Critical Resource
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
CVE-2022-0278
5.4 - Medium
- January 20, 2022
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
XSS
Cross Site Scripting (XSS)
CVE-2021-33988
6.1 - Medium
- October 19, 2021
Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form.
XSS
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20
CVE-2020-28337
7.2 - High
- February 15, 2021
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Directory traversal
Microweber 1.1.18 is affected by insufficient session expiration
CVE-2020-23140
8.1 - High
- November 09, 2020
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.
Insufficient Session Expiration
Microweber 1.1.18 is affected by broken authentication and session management
CVE-2020-23139
5.5 - Medium
- November 09, 2020
Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.
authentification
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page
CVE-2020-23138
9.8 - Critical
- November 09, 2020
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.
Unrestricted File Upload
Microweber v1.1.18 is affected by no session expiry after log-out.
CVE-2020-23136
5.5 - Medium
- November 09, 2020
Microweber v1.1.18 is affected by no session expiry after log-out.
Insufficient Session Expiration
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20
CVE-2020-13405
7.5 - High
- July 16, 2020
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.
Information Disclosure
Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.
CVE-2018-19917
6.1 - Medium
- March 21, 2019
Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.
XSS
Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template
CVE-2018-1000826
6.1 - Medium
- December 20, 2018
Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code.
XSS
An issue was discovered in Microweber 1.0.7
CVE-2018-17104
8.8 - High
- September 16, 2018
An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Microweber or by Microweber? Click the Watch button to subscribe.