CVE-2020-8427: Unauthenticated SQL Injection

CVE ID

CVE-2020-8427

DESCRIPTION

In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass.

This vulnerability was identified and reported by a security researcher, Cale Smith of EasyShell Security.

 

RESOLUTION

Kaseya/Unitrends remediated the vulnerability by changing the execution of a dynamic SQL statement to a parameterized execution. Additionally, standardized input sanitization is being applied to the formally vulnerable parameter.

 

Remediation Timeframe

Report Received: January 22, 2022
Patch Released: February 4, 2020
Fix Version: Recovery Series  10.4.1

 

Customer Remediation

All customers should upgrade their Unitrends Backup instances to Version 10.4.1 or later.
 

LINK TO ADVISORIES

    NOTES

    Related Links


    Version 10.4.1 Release Notes:
    https://unitrends-support.zendesk.com/hc/en-us/articles/360013187237
     
    Was this article helpful?
    0 out of 0 found this helpful
    Have more questions? Contact us