CVE-2020-13405
published 2020-07-16CVE-2020-13405: userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.72%
96.0th percentile
userfiles/modules/users/controller/controller.php in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a /modules/ POST request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microweber | microweber | < 1.1.20 | 1.1.20 |
| microweber | microweber | >= 0 < 1.1.20 | 1.1.20 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /module/ with a body containing 'module=users/controller', 'module=modules/users/controller', or 'module=/modules/users/controller' — these are the three exploit payloads used to trigger the information disclosure. ↗
- →A successful exploitation response will contain all of: 'username', 'password', 'password_reset_hash' in the response body with HTTP 200 and Content-Type text/html — use these as response-side detection signals. ↗
- →Requests include a Referer header pointing to the admin users module path, which can be used as an additional detection signal: Referer contains 'admin/view:modules/load_module:users'. ↗
- →Shodan fingerprinting: Microweber instances can be identified via HTTP HTML containing 'microweber' or favicon hash 780351152; use these to scope detection to relevant assets. ↗
- →Content-Type of the exploit POST request is 'application/x-www-form-urlencoded; charset=UTF-8' — combine with the /module/ path and module= payload body for a precise network detection signature. ↗
- ·The vulnerability is unauthenticated (CWE-306: Missing Authentication for Critical Function), meaning no session token or credentials are required — any unauthenticated POST to /module/ with the correct payload is sufficient to exploit it. ↗
- ·The exploit requires exactly 3 requests (one per payload variant) to cover all known endpoint permutations; detection rules should account for all three payload forms. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Microweber Discloses Sensitive Information
osv·2022-05-24
CVE-2020-13405 [HIGH] Microweber Discloses Sensitive Information
Microweber Discloses Sensitive Information
`userfiles/modules/users/controller/controller.php` in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a `/modules/ POST` request.
GHSA
Microweber Discloses Sensitive Information
ghsa·2022-05-24
CVE-2020-13405 [HIGH] CWE-200 Microweber Discloses Sensitive Information
Microweber Discloses Sensitive Information
`userfiles/modules/users/controller/controller.php` in Microweber before 1.1.20 allows an unauthenticated user to disclose the users database via a `/modules/ POST` request.
No detection rules found.
Nuclei
Microweber <1.1.20 - Information Disclosure
nuclei·CVSS 7.5
CVE-2020-13405 [HIGH] Microweber <1.1.20 - Information Disclosure
Microweber <1.1.20 - Information Disclosure
Microweber before 1.1.20 is susceptible to information disclosure via userfiles/modules/users/controller/controller.php. An attacker can disclose the users database via a /modules/ POST request and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2020-13405
info:
name: Microweber <1.1.20 - Information Disclosure
author: ritikchaddha,amit-jd
severity: high
description: |
Microweber before 1.1.20 is susceptible to information disclosure via userfiles/modules/users/controller/controller.php. An attacker can disclose the users database via a /modules/ POST request and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
impact: |
An
No writeups or analysis indexed.
https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6https://rhinosecuritylabs.com/research/microweber-database-disclosure/https://github.com/microweber/microweber/commit/269320e0e0e06a1785e1a1556da769a34280b7e6https://rhinosecuritylabs.com/research/microweber-database-disclosure/
2020-07-16
Published