CVE-2020-23138 — CRITICAL (9.8)

Vulnerability Description

An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image data and the image/jpeg content type with a .php extension.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Microweber	Microweber	1.1.18

Related Weaknesses (CWE)

CWE-434

References

https://gist.github.com/virendratiwari03/0918aaba97eba31666630996ab3aeec3Third Party Advisory
https://gist.github.com/virendratiwari03/800f96271f22c0c2f5aea126c7f1f170Third Party Advisory
https://gist.github.com/virendratiwari03/0918aaba97eba31666630996ab3aeec3Third Party Advisory
https://gist.github.com/virendratiwari03/800f96271f22c0c2f5aea126c7f1f170Third Party Advisory

FAQ

What is CVE-2020-23138?

CVE-2020-23138 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An unrestricted file upload vulnerability was discovered in the Microweber 1.1.18 admin account page. An attacker can upload PHP code or any extension (eg- .exe) to the web server by providing image d...

How severe is CVE-2020-23138?

CVE-2020-23138 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-23138?

Check the references section above for vendor advisories and patch information. Affected products include: Microweber Microweber.