CyberSec.Space Logo
Back to CVE Browser

CVE-2018-6328

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1870%
EPSS Percentile44.26th
PublishedMar 14, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.

Affected Platforms (CPE)

πŸ“¦
Kaseya

Unitrends Backup

< 10.1

References & Advisories

πŸ”— https://support.unitrends.com/UnitrendsBackup/s/article/000001150
πŸ”— https://support.unitrends.com/UnitrendsBackup/s/article/000006002
πŸ”— https://www.exploit-db.com/exploits/44297/
πŸ”— https://www.exploit-db.com/exploits/45559/
πŸ”— https://support.unitrends.com/UnitrendsBackup/s/article/000001150
πŸ”— https://support.unitrends.com/UnitrendsBackup/s/article/000006002
πŸ”— https://www.exploit-db.com/exploits/44297/
πŸ”— https://www.exploit-db.com/exploits/45559/

Related Vulnerabilities

CVE-2014-300810.0

Unitrends Enterprise Backup 7.3.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ...

CVE-2017-124779.8

It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has a...

CVE-2018-63299.8

It was discovered that the Unitrends Backup (UB) before 10.1.0 libbpext.so authentication could be bypassed with a SQL injection, ...

CVE-2017-124789.8

It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input...