Microweber
Products
1- 108 CVEs
Recent CVEs
108| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-23138 | Cri | 0.64 | 9.8 | 0.01 | Nov 9, 2020 | An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension. | ||
| CVE-2023-49052 | Hig | 0.57 | 8.8 | 0.02 | Nov 30, 2023 | File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. | ||
| CVE-2023-1877 | Cri | 0.57 | 9.8 | 0.02 | Apr 5, 2023 | Command Injection in GitHub repository microweber/microweber prior to 1.3.3. | ||
| CVE-2022-33012 | Hig | 0.57 | 8.8 | 0.01 | Nov 22, 2022 | Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack. | ||
| CVE-2021-36461 | Hig | 0.57 | 8.8 | 0.01 | Jul 15, 2022 | An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini. | ||
| CVE-2022-0895 | Cri | 0.57 | 9.8 | 0.02 | Mar 10, 2022 | Static Code Injection in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-1631 | Hig | 0.54 | 8.8 | 0.09 | May 9, 2022 | Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows… | ||
| CVE-2020-23140 | Hig | 0.53 | 8.1 | 0.01 | Nov 9, 2020 | Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | ||
| CVE-2023-2240 | Hig | 0.50 | 8.8 | 0.01 | Apr 22, 2023 | Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4. | ||
| CVE-2022-0896 | Hig | 0.50 | 8.8 | 0.01 | Mar 9, 2022 | Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2023-48122 | Hig | 0.49 | 7.5 | 0.01 | Dec 8, 2023 | An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method. | ||
| CVE-2026-12198 | Hig | 0.47 | 7.3 | 0.01 | Jun 15, 2026 | A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to… | ||
| CVE-2022-0666 | Hig | 0.45 | 7.5 | 0.44 | Feb 18, 2022 | CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2022-4732 | Hig | 0.43 | 7.2 | 0.38 | Dec 27, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. | ||
| CVE-2022-0281 | Hig | 0.43 | 7.5 | 0.12 | Jan 20, 2022 | Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2023-5318 | Hig | 0.42 | 7.5 | 0.01 | Sep 30, 2023 | Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. | ||
| CVE-2022-1036 | Hig | 0.42 | 7.5 | 0.01 | Mar 22, 2022 | Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12. | ||
| CVE-2022-0913 | Hig | 0.42 | 7.5 | 0.01 | Mar 11, 2022 | Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-0777 | Hig | 0.42 | 7.5 | 0.01 | Mar 1, 2022 | Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-0660 | Hig | 0.42 | 7.5 | 0.07 | Feb 18, 2022 | Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. |
- risk 0.64cvss 9.8epss 0.01
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.
- risk 0.57cvss 8.8epss 0.02
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
- risk 0.57cvss 9.8epss 0.02
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
- risk 0.57cvss 8.8epss 0.01
Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.
- risk 0.57cvss 8.8epss 0.01
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.
- risk 0.57cvss 9.8epss 0.02
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
- risk 0.54cvss 8.8epss 0.09
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows…
- risk 0.53cvss 8.1epss 0.01
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.
- risk 0.50cvss 8.8epss 0.01
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
- risk 0.50cvss 8.8epss 0.01
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
- risk 0.49cvss 7.5epss 0.01
An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.
- risk 0.47cvss 7.3epss 0.01
A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to…
- risk 0.45cvss 7.5epss 0.44
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
- risk 0.43cvss 7.2epss 0.38
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
- risk 0.43cvss 7.5epss 0.12
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
- risk 0.42cvss 7.5epss 0.01
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
- risk 0.42cvss 7.5epss 0.01
Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.
- risk 0.42cvss 7.5epss 0.01
Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.
- risk 0.42cvss 7.5epss 0.01
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
- risk 0.42cvss 7.5epss 0.07
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.