Virendratiwari03

**Name of the Vulnerable Software and Affected Versions** Microweber version 1.1.18 **Description** The issue concerns a problem where there is no session expiry after a user logs out. This could potentially allow unauthorized access to a user's session after they have logged out. **Recommendations** For Microweber version 1.1.18, consider implementing a custom session expiry mechanism as a temporary workaround until a patch is available. Restrict access to sensitive features and data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Microweber version 1.1.18 **Description** An unrestricted file upload vulnerability was discovered in the Microweber admin account page. An attacker can upload PHP code or any extension (e.g., .exe) to the web server by providing image data and the `image/jpeg` content type with a `.php` extension. **Recommendations** For Microweber version 1.1.18, consider restricting file uploads to only allowed extensions and validating the content type of uploaded files to prevent exploitation. As a temporary workaround, restrict access to the admin account page until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microweber version 1.1.18 **Description** The issue concerns broken authentication and session management, which may lead to local session hijacking. This could result in unauthorized access to system data or functionality, or a complete system compromise. **Recommendations** For Microweber version 1.1.18, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microweber version 1.1.18 **Description** The issue concerns insufficient session expiration. When a user changes their password, both the session for the email change and old sessions on other browsers or devices remain active and do not expire. **Recommendations** For Microweber version 1.1.18, as a temporary workaround, consider implementing a manual session expiration mechanism after password changes to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Microweber version 1.1.18 **Description** The issue allows Unrestricted File Upload because the "admin/view:modules/load module:users#edit-user=1" endpoint does not verify that the file extension corresponds to an image file when using the Add Image option on the Edit User screen. **Recommendations** For Microweber version 1.1.18, as a temporary workaround, consider disabling the image upload functionality in the Edit User screen until a patch is available. Restrict access to the "admin/view:modules/load module:users#edit-user=1" endpoint to minimize the risk of exploitation. Avoid using the file upload option in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.