CVE-2020-28337

Name of the Vulnerable Software and Affected Versions: Microweber versions 1.1.20 and earlier

Description: A directory traversal issue in the Utils/Unzip module allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit this issue, an attacker must have administrative user credentials, upload a maliciously constructed ZIP file with relative paths (e.g., ../../), move this file into the backup directory, and execute a restore on this file.

Recommendations: For Microweber versions 1.1.20 and earlier, update to a version later than 1.1.20 to resolve the issue. As a temporary workaround, consider restricting access to the backup restore feature and the Utils/Unzip module to minimize the risk of exploitation. Avoid using the backup restore feature with untrusted ZIP files until the issue is resolved.