CVE-2020-28337: Path Traversal
First published: Mon Feb 15 2021(Updated: )
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microweber WHMCS | <=1.1.20 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-28337?
CVE-2020-28337 has been classified as a critical vulnerability due to its potential for remote code execution.
How do I fix CVE-2020-28337?
To fix CVE-2020-28337, update Microweber to version 1.1.21 or later.
What systems are affected by CVE-2020-28337?
CVE-2020-28337 affects Microweber versions up to and including 1.1.20.
Who can exploit CVE-2020-28337?
Only authenticated users with administrative privileges can exploit CVE-2020-28337.
What kind of attack can be performed through CVE-2020-28337?
CVE-2020-28337 allows an authenticated attacker to execute arbitrary code via a directory traversal attack during the backup restore process.
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/microweber
- canonical/microweber whmcs
- version/microweber whmcs/1.1.20