Path Traversal via Files Manager in microweber/microweber


Reported on

Jun 1st 2022


Please enter a description of the vulnerability.

Steps to reproduce

1.Login to admin panel and go to Modules -> Files (http://localhost/microweber/admin/view:modules/load_module:files)

2.Click any file, the url will have the following format: http://localhost/microweber/admin/view:modules/load_module:files#select-file=http://localhost/microweber/userfiles/media/default/defaultprofile_445.jpg

3.Change the url to http://localhost/microweber/admin/view:modules/load_module:files#select-file=http://localhost/test.txt (test.txt is the file outside of microwbever's directory)

4.The content of test.txt (is outside of microwbever's directory) will be appear in dialog

Image POC


Attacker can read files outside the microweber folder

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Bozhidar Slaveykov modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability a month ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov confirmed that a fix has been merged on 16db81 a month ago
Bozhidar Slaveykov has been awarded the fix bounty
a month ago


@admin can we assign a CVE to this vulnerability?

Jamie Slome
a month ago


We do not auto-assign CVEs to reports that have been given a low severity rating.

to join this conversation