cbcvebase.
CVE-2020-13405
published 2020-07-16

CVE-2020-13405: userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.72%
96.0th percentile
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.

Affected

2 ranges
VendorProductVersion rangeFixed in
microwebermicroweber< 1.1.201.1.20
microwebermicroweber>= 0 < 1.1.201.1.20

Detection & IOCsextracted from sources · hover to see the quote

path/userfiles/modules/users/controller/controller.php
path/module/
commandmodule=users/controller
commandmodule=modules/users/controller
commandmodule=/modules/users/controller
  • Detect unauthenticated POST requests to /module/ with a body containing 'module=users/controller', 'module=modules/users/controller', or 'module=/modules/users/controller' — these are the three exploit payloads used to trigger the information disclosure.
  • A successful exploitation response will contain all of: 'username', 'password', 'password_reset_hash' in the response body with HTTP 200 and Content-Type text/html — use these as response-side detection signals.
  • Requests include a Referer header pointing to the admin users module path, which can be used as an additional detection signal: Referer contains 'admin/view:modules/load_module:users'.
  • Shodan fingerprinting: Microweber instances can be identified via HTTP HTML containing 'microweber' or favicon hash 780351152; use these to scope detection to relevant assets.
  • Content-Type of the exploit POST request is 'application/x-www-form-urlencoded; charset=UTF-8' — combine with the /module/ path and module= payload body for a precise network detection signature.
  • ·The vulnerability is unauthenticated (CWE-306: Missing Authentication for Critical Function), meaning no session token or credentials are required — any unauthenticated POST to /module/ with the correct payload is sufficient to exploit it.
  • ·The exploit requires exactly 3 requests (one per payload variant) to cover all known endpoint permutations; detection rules should account for all three payload forms.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.