CVE-2020-13405 — Microweber Discloses Sensitive Information

Description

`userfiles/modules/users/controller/controller.php` in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a `/modules/ POST` request.

How to fix CVE-2020-13405

To remediate CVE-2020-13405, upgrade the affected package to a fixed version below.

Packagist/microweber/microweber—upgrade to 1.1.20 or later

Is CVE-2020-13405 being exploited?

Likely — EPSS is 53.3%, placing CVE-2020-13405 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 1.1.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-13405
PATCHgithub.com/microweber/microweber
WEBgithub.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6
WEBrhinosecuritylabs.com/research/microweber-database-disclosure