Vendor CVEs
Microweber
All CVEs
108 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-23138 | Cri | 0.64 | 9.8 | 0.01 | Nov 9, 2020 | An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension. | ||
| CVE-2023-49052 | Hig | 0.57 | 8.8 | 0.02 | Nov 30, 2023 | File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. | ||
| CVE-2023-1877 | Cri | 0.57 | 9.8 | 0.02 | Apr 5, 2023 | Command Injection in GitHub repository microweber/microweber prior to 1.3.3. | ||
| CVE-2022-33012 | Hig | 0.57 | 8.8 | 0.01 | Nov 22, 2022 | Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack. | ||
| CVE-2021-36461 | Hig | 0.57 | 8.8 | 0.01 | Jul 15, 2022 | An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini. | ||
| CVE-2022-0895 | Cri | 0.57 | 9.8 | 0.02 | Mar 10, 2022 | Static Code Injection in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-1631 | Hig | 0.54 | 8.8 | 0.09 | May 9, 2022 | Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows… | ||
| CVE-2020-23140 | Hig | 0.53 | 8.1 | 0.01 | Nov 9, 2020 | Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active. | ||
| CVE-2023-2240 | Hig | 0.50 | 8.8 | 0.01 | Apr 22, 2023 | Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4. | ||
| CVE-2022-0896 | Hig | 0.50 | 8.8 | 0.01 | Mar 9, 2022 | Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2023-48122 | Hig | 0.49 | 7.5 | 0.01 | Dec 8, 2023 | An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method. | ||
| CVE-2026-12198 | Hig | 0.47 | 7.3 | 0.01 | Jun 15, 2026 | A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to… | ||
| CVE-2022-0666 | Hig | 0.45 | 7.5 | 0.44 | Feb 18, 2022 | CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2022-4732 | Hig | 0.43 | 7.2 | 0.38 | Dec 27, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2. | ||
| CVE-2022-0281 | Hig | 0.43 | 7.5 | 0.12 | Jan 20, 2022 | Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2023-5318 | Hig | 0.42 | 7.5 | 0.01 | Sep 30, 2023 | Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0. | ||
| CVE-2022-1036 | Hig | 0.42 | 7.5 | 0.01 | Mar 22, 2022 | Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12. | ||
| CVE-2022-0913 | Hig | 0.42 | 7.5 | 0.01 | Mar 11, 2022 | Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-0777 | Hig | 0.42 | 7.5 | 0.01 | Mar 1, 2022 | Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-0660 | Hig | 0.42 | 7.5 | 0.07 | Feb 18, 2022 | Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2022-0698 | Med | 0.40 | 6.1 | 0.01 | Nov 25, 2022 | Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter. | ||
| CVE-2018-19917 | Med | 0.40 | 6.1 | 0.02 | Mar 21, 2019 | Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities. | ||
| CVE-2022-0921 | Med | 0.37 | 6.7 | 0.02 | Mar 11, 2022 | Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12. | ||
| CVE-2020-23139 | Med | 0.36 | 5.5 | 0.00 | Nov 9, 2020 | Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise. | ||
| CVE-2023-6566 | Med | 0.35 | 6.5 | 0.00 | Dec 7, 2023 | Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | ||
| CVE-2023-2239 | Med | 0.35 | 6.5 | 0.01 | Apr 22, 2023 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4. | ||
| CVE-2022-2368 | Med | 0.35 | 6.5 | 0.01 | Jul 11, 2022 | Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20. | ||
| CVE-2022-0724 | Med | 0.35 | 6.5 | 0.01 | Feb 23, 2022 | Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-0721 | Med | 0.35 | 6.5 | 0.01 | Feb 23, 2022 | Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3. | ||
| CVE-2022-0505 | Med | 0.35 | 6.5 | 0.01 | Feb 8, 2022 | Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2022-0504 | Med | 0.35 | 6.5 | 0.01 | Feb 8, 2022 | Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2022-0277 | Med | 0.35 | 6.5 | 0.01 | Jan 20, 2022 | Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2023-5244 | Med | 0.33 | 6.1 | 0.01 | Sep 28, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0. | ||
| CVE-2021-32856 | Med | 0.33 | 6.1 | 0.01 | Feb 21, 2023 | Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A… | ||
| CVE-2022-4647 | Med | 0.33 | 6.1 | 0.00 | Dec 22, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2. | ||
| CVE-2022-4617 | Med | 0.33 | 6.1 | 0.01 | Dec 21, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2. | ||
| CVE-2022-3245 | Med | 0.33 | 6.1 | 0.01 | Sep 20, 2022 | HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input. | ||
| CVE-2022-3242 | Med | 0.33 | 6.1 | 0.01 | Sep 20, 2022 | Code Injection in GitHub repository microweber/microweber prior to 1.3.2. | ||
| CVE-2022-2470 | Med | 0.33 | 6.1 | 0.01 | Jul 22, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21. | ||
| CVE-2022-2353 | Med | 0.33 | 6.1 | 0.00 | Jul 9, 2022 | Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. | ||
| CVE-2022-2252 | Med | 0.33 | 6.1 | 0.01 | Jun 29, 2022 | Open Redirect in GitHub repository microweber/microweber prior to 1.2.19. | ||
| CVE-2022-2174 | Med | 0.33 | 6.1 | 0.03 | Jun 22, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18. | ||
| CVE-2022-2130 | Med | 0.33 | 6.1 | 0.03 | Jun 20, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17. | ||
| CVE-2022-1584 | Med | 0.33 | 6.1 | 0.01 | May 4, 2022 | Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim | ||
| CVE-2022-1555 | Med | 0.33 | 6.1 | 0.01 | May 4, 2022 | DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie... | ||
| CVE-2022-1504 | Med | 0.33 | 6.1 | 0.01 | Apr 27, 2022 | XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks. | ||
| CVE-2022-1439 | Med | 0.33 | 6.1 | 0.03 | Apr 22, 2022 | Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without… | ||
| CVE-2022-0929 | Med | 0.33 | 6.1 | 0.01 | Mar 12, 2022 | XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11. | ||
| CVE-2022-0690 | Med | 0.33 | 6.1 | 0.01 | Feb 19, 2022 | Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. | ||
| CVE-2022-0678 | Med | 0.33 | 6.1 | 0.02 | Feb 19, 2022 | Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. |
- risk 0.64cvss 9.8epss 0.01
An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.
- risk 0.57cvss 8.8epss 0.02
File Upload vulnerability in Microweber v.2.0.4 allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component.
- risk 0.57cvss 9.8epss 0.02
Command Injection in GitHub repository microweber/microweber prior to 1.3.3.
- risk 0.57cvss 8.8epss 0.01
Microweber v1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.
- risk 0.57cvss 8.8epss 0.01
An Arbitrary File Upload vulnerability exists in Microweber 1.1.3 that allows attackers to getshell via the Settings Upload Picture section by uploading pictures with malicious code, user.ini.
- risk 0.57cvss 9.8epss 0.02
Static Code Injection in GitHub repository microweber/microweber prior to 1.3.
- risk 0.54cvss 8.8epss 0.09
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows…
- risk 0.53cvss 8.1epss 0.01
Microweber 1.1.18 is affected by insufficient session expiration. When changing passwords, both sessions for when a user changes email and old sessions in any other browser or device, the session does not expire and remains active.
- risk 0.50cvss 8.8epss 0.01
Improper Privilege Management in GitHub repository microweber/microweber prior to 1.3.4.
- risk 0.50cvss 8.8epss 0.01
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3.
- risk 0.49cvss 7.5epss 0.01
An issue in microweber v.2.0.1 and fixed in v.2.0.4 allows a remote attacker to obtain sensitive information via the HTTP GET method.
- risk 0.47cvss 7.3epss 0.01
A weakness has been identified in Microweber up to 2.0.20. This affects the function userfiles_path of the file /api_nosession/thumbnail_img of the component API Endpoint. Executing a manipulation of the argument cache_path_relative can lead to path traversal. It is possible to…
- risk 0.45cvss 7.5epss 0.44
CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11.
- risk 0.43cvss 7.2epss 0.38
Unrestricted Upload of File with Dangerous Type in GitHub repository microweber/microweber prior to 1.3.2.
- risk 0.43cvss 7.5epss 0.12
Exposure of Sensitive Information to an Unauthorized Actor in Packagist microweber/microweber prior to 1.2.11.
- risk 0.42cvss 7.5epss 0.01
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
- risk 0.42cvss 7.5epss 0.01
Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12.
- risk 0.42cvss 7.5epss 0.01
Integer Overflow or Wraparound in GitHub repository microweber/microweber prior to 1.3.
- risk 0.42cvss 7.5epss 0.01
Weak Password Recovery Mechanism for Forgotten Password in GitHub repository microweber/microweber prior to 1.3.
- risk 0.42cvss 7.5epss 0.07
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
- risk 0.40cvss 6.1epss 0.01
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.
- risk 0.40cvss 6.1epss 0.02
Microweber 1.0.8 has reflected cross-site scripting (XSS) vulnerabilities.
- risk 0.37cvss 6.7epss 0.02
Abusing Backup/Restore feature to achieve Remote Code Execution in GitHub repository microweber/microweber prior to 1.2.12.
- risk 0.36cvss 5.5epss 0.00
Microweber 1.1.18 is affected by broken authentication and session management. Local session hijacking may occur, which could result in unauthorized access to system data or functionality, or a complete system compromise.
- risk 0.35cvss 6.5epss 0.00
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.
- risk 0.35cvss 6.5epss 0.01
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository microweber/microweber prior to 1.3.4.
- risk 0.35cvss 6.5epss 0.01
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.
- risk 0.35cvss 6.5epss 0.01
Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.
- risk 0.35cvss 6.5epss 0.01
Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.
- risk 0.35cvss 6.5epss 0.01
Cross-Site Request Forgery (CSRF) in Packagist microweber/microweber prior to 1.2.11.
- risk 0.35cvss 6.5epss 0.01
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
- risk 0.35cvss 6.5epss 0.01
Incorrect Permission Assignment for Critical Resource in Packagist microweber/microweber prior to 1.2.11.
- risk 0.33cvss 6.1epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 2.0.
- risk 0.33cvss 6.1epss 0.01
Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A…
- risk 0.33cvss 6.1epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.2.
- risk 0.33cvss 6.1epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.
- risk 0.33cvss 6.1epss 0.01
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
- risk 0.33cvss 6.1epss 0.01
Code Injection in GitHub repository microweber/microweber prior to 1.3.2.
- risk 0.33cvss 6.1epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.
- risk 0.33cvss 6.1epss 0.00
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user.
- risk 0.33cvss 6.1epss 0.01
Open Redirect in GitHub repository microweber/microweber prior to 1.2.19.
- risk 0.33cvss 6.1epss 0.03
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.
- risk 0.33cvss 6.1epss 0.03
Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.17.
- risk 0.33cvss 6.1epss 0.01
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim
- risk 0.33cvss 6.1epss 0.01
DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...
- risk 0.33cvss 6.1epss 0.01
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
- risk 0.33cvss 6.1epss 0.03
Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without…
- risk 0.33cvss 6.1epss 0.01
XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.
- risk 0.33cvss 6.1epss 0.01
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
- risk 0.33cvss 6.1epss 0.02
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
Page 1 of 3