Microweber Microweber

Do you want an email whenever new security vulnerabilities are reported in Microweber?

By the Year

In 2024 there have been 0 vulnerabilities in Microweber . Last year Microweber had 19 security vulnerabilities published. Right now, Microweber is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 19 6.13
2022 66 6.21
2021 2 6.65
2020 5 7.28
2019 1 6.10
2018 2 7.45

It may take a day or so for new Microweber vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Microweber Security Vulnerabilities

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-6832 4.3 - Medium - December 15, 2023

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

Business Logic Errors

An issue in microweber v.2.0.1 and fixed in v.2.0.4

CVE-2023-48122 7.5 - High - December 08, 2023

An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-6599 4.3 - Medium - December 08, 2023

Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.

Improper Handling of Exceptional Conditions

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-6566 6.5 - Medium - December 07, 2023

Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

File Upload vulnerability in Microweber v.2.0.4

CVE-2023-49052 8.8 - High - November 30, 2023

File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.

Unrestricted File Upload

Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS)

CVE-2023-47379 5.4 - Medium - November 08, 2023

Microweber CMS version 2.0.1 is vulnerable to stored Cross Site Scripting (XSS) via the profile picture file upload functionality.

XSS

Improper Access Control in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-5976 4.3 - Medium - November 07, 2023

Improper Access Control in GitHub repository microweber/microweber prior to 2.0.

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-5861 4.8 - Medium - October 31, 2023

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

XSS

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-5318 7.5 - High - September 30, 2023

Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.

Use of Hard-coded Credentials

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-5244 6.1 - Medium - September 28, 2023

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

CVE-2023-3142 5.4 - Medium - June 07, 2023

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

XSS

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.

CVE-2023-2239 6.5 - Medium - April 22, 2023

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.

Privacy violation

Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.

CVE-2023-2240 8.8 - High - April 22, 2023

Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.

Improper Privilege Management

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.

CVE-2023-2014 4.8 - Medium - April 13, 2023

Cross-site Scripting (XSS) - Generic in GitHub repository microweber/microweber prior to 1.3.3.

XSS

Command Injection in GitHub repository microweber/microweber prior to 1.3.3.

CVE-2023-1877 9.8 - Critical - April 05, 2023

Command Injection in GitHub repository microweber/microweber prior to 1.3.3.

Command Injection

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

CVE-2023-1881 5.4 - Medium - April 05, 2023

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

CVE-2023-1081 4.8 - Medium - February 28, 2023

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

XSS

Microweber is a drag and drop website builder and content management system

CVE-2021-32856 6.1 - Medium - February 21, 2023

Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted in versions 1.2.9 and 1.2.12, but it is incomplete.

XSS

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

CVE-2023-0608 5.4 - Medium - February 01, 2023

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

XSS

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.

CVE-2022-4732 7.2 - High - December 27, 2022

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.

Unrestricted File Upload

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.

CVE-2022-4647 6.1 - Medium - December 22, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.

XSS

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.

CVE-2022-4617 6.1 - Medium - December 21, 2022

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.

XSS

Microweber version 1.3.1

CVE-2022-0698 6.1 - Medium - November 25, 2022

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.

XSS

Microweber v1.2.15 was discovered to

CVE-2022-33012 8.8 - High - November 22, 2022

Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.

Injection

HTML injection attack is closely related to Cross-site Scripting (XSS)

CVE-2022-3245 6.1 - Medium - September 20, 2022

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.

XSS

Code Injection in GitHub repository microweber/microweber prior to 1.3.2.

CVE-2022-3242 6.1 - Medium - September 20, 2022

Code Injection in GitHub repository microweber/microweber prior to 1.3.2.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.

CVE-2022-2777 5.4 - Medium - August 11, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.1.

XSS

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

CVE-2022-2470 6.1 - Medium - July 22, 2022

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

CVE-2022-2495 4.8 - Medium - July 22, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

XSS

An Arbitrary File Upload vulnerability exists in Microweber 1.1.3

CVE-2021-36461 8.8 - High - July 15, 2022

An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.

Unrestricted File Upload

Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.

CVE-2022-2368 9.8 - Critical - July 11, 2022

Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.

Authentication Bypass by Spoofing

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents

CVE-2022-2353 6.1 - Medium - July 09, 2022

Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.

Session Riding

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

CVE-2022-2300 5.4 - Medium - July 04, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

CVE-2022-2280 5.4 - Medium - July 01, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

XSS

Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.

CVE-2022-2252 6.1 - Medium - June 29, 2022

Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.

Open Redirect

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.

CVE-2022-2174 6.1 - Medium - June 22, 2022

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.

XSS

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.

CVE-2022-2130 6.1 - Medium - June 20, 2022

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.

XSS

Users Account Pre-Takeover or Users Account Takeover

CVE-2022-1631 8.8 - High - May 09, 2022

Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victims Email. This allows an attacker to gain pre-authentication to the victims account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attackers persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employees email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employees account.

AuthZ

Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16

CVE-2022-1584 6.1 - Medium - May 04, 2022

Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim

XSS

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16

CVE-2022-1555 6.1 - Medium - May 04, 2022

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

XSS

XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15

CVE-2022-1504 6.1 - Medium - April 27, 2022

XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.

XSS

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15

CVE-2022-1439 6.1 - Medium - April 22, 2022

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

XSS

Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.

CVE-2022-1036 7.5 - High - March 22, 2022

Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.

Integer Overflow or Wraparound

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

CVE-2022-0963 5.4 - Medium - March 15, 2022

Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

XSS

The microweber application

CVE-2022-0968 5.5 - Medium - March 15, 2022

The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber in GitHub repository microweber/microweber prior to 1.2.12.

Integer Overflow or Wraparound

The microweber application

CVE-2022-0961 5.5 - Medium - March 15, 2022

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in GitHub repository microweber/microweber prior to 1.2.12.

Integer Overflow or Wraparound

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings

CVE-2022-0954 5.4 - Medium - March 15, 2022

Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Shop's Other Settings, Shop's Autorespond E-mail Settings and Shops' Payments Methods in GitHub repository microweber/microweber prior to 1.2.11.

XSS

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

CVE-2022-0930 4.8 - Medium - March 12, 2022

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

XSS

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.

CVE-2022-0929 6.1 - Medium - March 12, 2022

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.

XSS

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

CVE-2022-0926 4.8 - Medium - March 12, 2022

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

XSS

Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.

CVE-2022-0921 6.7 - Medium - March 11, 2022

Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.

Unrestricted File Upload

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.

CVE-2022-0928 5.4 - Medium - March 11, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.

XSS

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.

CVE-2022-0912 4.8 - Medium - March 11, 2022

Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.2.11.

Unrestricted File Upload

Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0913 7.5 - High - March 11, 2022

Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.

Integer Overflow or Wraparound

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

CVE-2022-0906 4.8 - Medium - March 10, 2022

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

XSS

Static Code Injection in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0895 9.8 - Critical - March 10, 2022

Static Code Injection in GitHub repository microweber/microweber prior to 1.3.

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0896 8.8 - High - March 09, 2022

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.

Code Injection

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0777 7.5 - High - March 01, 2022

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.

Weak Password Recovery Mechanism for Forgotten Password

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.

CVE-2022-0723 5.4 - Medium - February 26, 2022

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.11.

XSS

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0763 4.8 - Medium - February 26, 2022

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.

XSS

Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0762 4.3 - Medium - February 26, 2022

Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3.

AuthZ

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0719 5.4 - Medium - February 23, 2022

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.

XSS

Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0721 6.5 - Medium - February 23, 2022

Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.

Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.

CVE-2022-0724 6.5 - Medium - February 23, 2022

Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.

Insecure Storage of Sensitive Information

Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0688 4.9 - Medium - February 20, 2022

Business Logic Errors in Packagist microweber/microweber prior to 1.2.11.

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0690 6.1 - Medium - February 19, 2022

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

XSS

Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0689 5.3 - Medium - February 19, 2022

Use multiple time the one-time coupon in Packagist microweber/microweber prior to 1.2.11.

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0678 6.1 - Medium - February 19, 2022

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

XSS

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0666 7.5 - High - February 18, 2022

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.

CRLF Injection

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0660 7.5 - High - February 18, 2022

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.

Generation of Error Message Containing Sensitive Information

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0638 4.3 - Medium - February 17, 2022

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.

Session Riding

Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0596 4.3 - Medium - February 15, 2022

Improper Validation of Specified Quantity in Input in Packagist microweber/microweber prior to 1.2.11.

Improper Validation of Specified Quantity in Input

Open Redirect in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0597 6.1 - Medium - February 15, 2022

Open Redirect in Packagist microweber/microweber prior to 1.2.11.

Open Redirect

Open Redirect in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0560 6.1 - Medium - February 11, 2022

Open Redirect in Packagist microweber/microweber prior to 1.2.11.

Open Redirect

OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0557 7.2 - High - February 11, 2022

OS Command Injection in Packagist microweber/microweber prior to 1.2.11.

Shell injection

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0558 5.4 - Medium - February 10, 2022

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

XSS

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0505 6.5 - Medium - February 08, 2022

Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.

Session Riding

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0506 5.4 - Medium - February 08, 2022

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

XSS

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0504 6.5 - Medium - February 08, 2022

Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.

Generation of Error Message Containing Sensitive Information

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0378 5.4 - Medium - January 26, 2022

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

XSS

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0379 5.4 - Medium - January 26, 2022

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

XSS

Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0282 7.5 - High - January 20, 2022

Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11.

XSS

Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0281 7.5 - High - January 20, 2022

Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.

Information Disclosure

Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0277 6.5 - Medium - January 20, 2022

Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.

Incorrect Permission Assignment for Critical Resource

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

CVE-2022-0278 5.4 - Medium - January 20, 2022

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

XSS

Cross Site Scripting (XSS)

CVE-2021-33988 6.1 - Medium - October 19, 2021

Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form.

XSS

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20

CVE-2020-28337 7.2 - High - February 15, 2021

A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.

Directory traversal

Microweber 1.1.18 is affected by insufficient session expiration

CVE-2020-23140 8.1 - High - November 09, 2020

Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.

Insufficient Session Expiration

Microweber 1.1.18 is affected by broken authentication and session management

CVE-2020-23139 5.5 - Medium - November 09, 2020

Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.

authentification

An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page

CVE-2020-23138 9.8 - Critical - November 09, 2020

An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.

Unrestricted File Upload

Microweber v1.1.18 is affected by no session expiry after log-out.

CVE-2020-23136 5.5 - Medium - November 09, 2020

Microweber v1.1.18 is affected by no session expiry after log-out.

Insufficient Session Expiration

userfiles/modules/users/controller/controller.php in Microweber before 1.1.20

CVE-2020-13405 7.5 - High - July 16, 2020

userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.

Information Disclosure

Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.

CVE-2018-19917 6.1 - Medium - March 21, 2019

Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.

XSS

Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template

CVE-2018-1000826 6.1 - Medium - December 20, 2018

Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code.

XSS

An issue was discovered in Microweber 1.0.7

CVE-2018-17104 8.8 - High - September 16, 2018

An issue was discovered in Microweber 1.0.7. There is a CSRF attack (against the admin user) that can add an administrative account via api/save_user.

Session Riding

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Microweber or by Microweber? Click the Watch button to subscribe.

Microweber
Vendor

Microweber
Product

subscribe