Home

Description

webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file.

PUBLISHED Reserved 2026-02-01 | Published 2026-02-03 | Updated 2026-02-04 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Files or Directories Accessible to External Parties

Product status

4.15.1
affected

Credits

Besim ALTINOK finder

References

www.exploit-db.com/exploits/48420 (ExploitDB-48420) exploit

www.weberp.org (Official webERP Vendor Homepage) product

sourceforge.net/projects/web-erp/ (webERP SourceForge Project Page) product

www.vulncheck.com/...berp-unauthenticated-backup-file-access (VulnCheck Advisory: webERP 4.15.1 - Unauthenticated Backup File Access) third-party-advisory

cve.org (CVE-2020-37082)

nvd.nist.gov (CVE-2020-37082)

Download JSON