| Titel | Microweber 2.0.20 Path Traversal |
|---|
| Beschreibung | An unauthenticated path traversal vulnerability exists in Microweber v2.0.20 in the publicly reachable hidden API endpoint /api_nosession/thumbnail_img. The cache_path_relative parameter is not properly validated before being used in filesystem path construction, and traversal sequences such as ../ are not removed. Under the tested conditions, this allows arbitrary file read and path-controlled file write outside the intended thumbnail cache directory. The issue was privately reported to the vendor by email in early April 2026. A limited public GitHub issue was opened in mid-April 2026, but as of May 14, 2026 no vendor response has been received. Public technical references are provided for CNA/VulDB review.
|
|---|
| Quelle | ⚠️ https://github.com/whuHouYF/microweber-vuldb-disclosure-2026/blob/991630c494a99c70a96e456992a04de2ecb5a1e1/reports/microweber-path-traversal.md |
|---|
| Benutzer | TarryHou (UID 97936) |
|---|
| Einreichung | 14.05.2026 11:55 (vor 1 Monat) |
|---|
| Moderieren | 14.06.2026 09:10 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 370841 [Microweber bis 2.0.20 API Endpoint thumbnail_img userfiles_path cache_path_relative Directory Traversal] |
|---|
| Punkte | 20 |
|---|