High severity7.2NVD Advisory· Published Feb 15, 2021· Updated Jun 17, 2026
CVE-2020-28337
CVE-2020-28337
Description
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
microweber/microweberPackagist | < 1.2.3 | 1.2.3 |
Affected products
2- Microweber/Microweberdescription
Patches
Vulnerability mechanics
References
6- github.com/microweber/microweber/commit/777ee9c3e7519eb3672c79ac41066175b2001b50nvdPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/162514/Microweber-CMS-1.1.20-Remote-Code-Execution.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- sl1nki.page/blog/2021/02/01/microweber-zip-slipnvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-pqcf-v8v5-jmcgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28337ghsaADVISORY
- sl1nki.page/advisories/CVE-2020-28337nvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.