Talha Karakumru

Name of the Vulnerable Software and Affected Versions: Microweber CMS versions <= 1.2.11 Description: An authenticated local file inclusion issue exists due to the misuse of the backup management API. Authenticated users can exploit the `/api/BackupV2/upload` and `/api/BackupV2/download` endpoints to read arbitrary files from the underlying filesystem by specifying an absolute file path in the `src` parameter of the upload request. This allows for local file disclosure due to insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic. Recommendations: For Microweber CMS versions <= 1.2.11, consider disabling the `/api/BackupV2/upload` and `/api/BackupV2/download` endpoints until a patch is available to prevent exploitation. Restrict access to the backup management API to minimize the risk of arbitrary file disclosure. Avoid using the `src` parameter in the upload request to prevent specifying absolute file paths.