Tarryhou

**Name of the Vulnerable Software and Affected Versions** Microweber versions prior to 2.0.21 **Description** A path traversal issue exists in the API Endpoint component. A remote attacker can manipulate the `cache path relative` argument within the `userfiles path()` function of the '/api nosession/thumbnail img' endpoint to access files and directories outside the intended folder. **Recommendations** Update to version 2.0.21 or later. As a temporary workaround, restrict access to the '/api nosession/thumbnail img' endpoint.