Microweber CMS, Authenticated Local File Inclusion, CVE-2025-XXXX (Moderate)

By /

Listen to this Post

How the CVE Works

Microweber CMS versions < 1.2.11 suffer from an authenticated local file inclusion vulnerability due to improper path validation in the backup management API. Attackers with authenticated access can manipulate the `/api/BackupV2/upload` endpoint by supplying an absolute path in the `src` parameter, forcing the server to relocate or delete arbitrary files. The `/api/BackupV2/download` endpoint then allows retrieval of the file contents. This occurs because the API fails to sanitize user-controlled paths, enabling unauthorized file system access under the web service user’s permissions.

DailyCVE Form

Platform: Microweber CMS
Version: < 1.2.11
Vulnerability: Local File Inclusion
Severity: Moderate
Date: Jul 2, 2025

Prediction: Patch by Jul 20, 2025

What Undercode Say

Analytics:

curl -X POST 'http://target/api/BackupV2/upload' -d 'src=/etc/passwd'
curl -X GET 'http://target/api/BackupV2/download?file=malicious_backup'

How Exploit:

1. Authenticate to Microweber CMS.

2. Craft malicious upload request with absolute path.

3. Retrieve file via download endpoint.

Protection from this CVE:

  • Update to Microweber CMS β‰₯ 1.2.11.
  • Restrict backup API access.
  • Implement path sanitization.

Impact:

  • Unauthorized file disclosure.
  • Potential system compromise.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

πŸ”JOIN OUR CYBER WORLD [ CVE News β€’ HackMonitor β€’ UndercodeNews ]

πŸ’¬ Whatsapp | πŸ’¬ Telegram

πŸ“’ Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | πŸ”— Linkedin Featured Image

Scroll to Top