Path Traversal via Files Manager in microweber/microweber


Reported on

Jun 1st 2022


Please enter a description of the vulnerability.

Steps to reproduce

1.Login to admin panel and go to Modules -> Files (http://localhost/microweber/admin/view:modules/load_module:files)

2.Click any file, the url will have the following format: http://localhost/microweber/admin/view:modules/load_module:files#select-file=http://localhost/microweber/userfiles/media/default/defaultprofile_445.jpg

3.Change the url to http://localhost/microweber/admin/view:modules/load_module:files#select-file=http://localhost/test.txt (test.txt is the file outside of microwbever's directory)

4.The content of test.txt (is outside of microwbever's directory) will be appear in dialog

Image POC


Attacker can read files outside the microweber folder

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bozhidar Slaveykov validated this vulnerability a year ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bozhidar Slaveykov marked this as fixed in 1.2.16 with commit 16db81 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


@admin can we assign a CVE to this vulnerability?

Jamie Slome
a year ago


We do not auto-assign CVEs to reports that have been given a low severity rating.

to join this conversation