Login Sign Up

CVE-2021-36461

8.8 HIGH
Remote Code Execution

📋 TL;DR

Microweber 1.1.3 has an arbitrary file upload vulnerability that allows attackers to upload malicious files disguised as pictures, potentially leading to remote code execution. This affects all Microweber installations running version 1.1.3 or earlier. Attackers can compromise the web server and gain control over the affected system.

💻 Affected Systems

Products:
  • Microweber
Versions: 1.1.3 and earlier
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the Settings Upload Picture functionality, which may require authentication depending on configuration.

📦 What is this software?

Microweber by Microweber

View all CVEs affecting Microweber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise with attacker gaining shell access, data theft, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Webshell installation leading to website defacement, data exfiltration, and use as a foothold for further attacks.

🟢

If Mitigated

File uploads blocked or properly validated, preventing malicious file execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires uploading a malicious user.ini file disguised as an image, which can then be used to execute arbitrary PHP code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0 and later

Vendor Advisory: https://github.com/microweber/microweber/issues/751

Restart Required: No

Instructions:

1. Backup your Microweber installation and database. 2. Update to Microweber version 1.2.0 or later via the admin panel or manual update. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable file uploads

all

Temporarily disable the Settings Upload Picture functionality

# Modify Microweber configuration to disable uploads
# Check your specific installation for upload settings

File extension validation

linux

Implement server-side validation to only allow specific image file extensions

# Add to .htaccess or server configuration:
SetEnvIf Request_URI ".*\.(php|ini)$" block_upload
Deny from env=block_upload

🧯 If You Can't Patch

  • Implement strict file upload validation on the web server level
  • Use a Web Application Firewall (WAF) to block malicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check if running Microweber version 1.1.3 or earlier in admin panel or via version file

Check Version:

grep -r 'version' /path/to/microweber/installation/ | grep -i microweber

Verify Fix Applied:

Confirm version is 1.2.0 or later and test file upload functionality with restricted file types

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to upload directories
  • Files with .ini extension in upload folders
  • Multiple failed upload attempts

Network Indicators:

  • POST requests to upload endpoints with unusual file types
  • Traffic patterns suggesting webshell communication

SIEM Query:

source="web_logs" AND (uri="*upload*" OR uri="*settings*") AND (file_extension="ini" OR file_extension="php")

📊 Metadata

CVE ID: CVE-2021-36461
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: July 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36461, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)