← back
CVE-2020-28337

CVE-2020-28337

EPSS 16.6%
Vexday Risk Score
28Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS EPSS 16.6%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
15 Feb 2021Published on NVD
10 May 2021Public PoC
Weaponization speed
83 daysto first PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file.
Affected products
n/a · n/a
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.