CVE ID: CVE-2020-28337

CVSS Score: 6.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)

Affected Vendors: Microweber

Affected Products: Microweber (<=1.1.20)


In Microweber version 1.1.20 and earlier, when a backup file is restored the normalized filenames of extracted files name are not sanitized in a way to protect against a directory traversal attack. This is often referred to as a Zip Slip vulnerability. The API endpoint necessary to excute the restore /api/Microweber/Utils/Backup/restore is restricted to admin users, and thus admin user credentials are required to exploit this vulnerability.

More detail can be found in the associated blog post.


The impact of this vulnerability is that arbitrary paths can be provided within the zip such as ../../../../payload.php and allow arbitrary files contained within the zip to be written to arbitrary directories on the server in the user context of the web server. While the default proof-of-concept writes a php file within the web root for code execution, an attacker can write arbitrary files outside of the web root in the user context of the web server as well. Additionally, the extracted filenames are not sanitized against the dangerous file extension list, enabling an extension filter bypass.

Vendor Response

Microweber responded very quickly and had a patch committed within a few of hours of verifying the vulnerability. The patch addresses the vulnerability by skipping filenames containing .. in the backup, and was applied to both the zip_open and gzinflate extraction execution trees.

Disclosure Timeline

  • 2020-10-31 - Vulnerability Discovered
  • 2020-11-03 - Disclosed to Microweber
  • 2020-11-04 - Microweber confirmed vulnerability
  • 2020-11-04 - Patch made available
  • 2021-02-01 - Public Disclosure