CVE-2020-28337
moderate-risk
Published 2021-02-15
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Do I need to act?
!
13.8% chance of exploitation in next 30 days
EPSS score — higher than 86% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (8)
Third Party Advisory
https://sl1nki.page/advisories/CVE-2020-28337
Third Party Advisory
https://sl1nki.page/advisories/CVE-2020-28337
43
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
12/34 · Low
Exposure
5/34 · Minimal