CVE-2018-6328 Unitrends: RCE with backquotes in /api/hosts/ parameters

CVE ID

CVE-2018-6328

DESCRIPTION

It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.

RESOLUTION

Resolution is to upgrade to Unitrends release 10.1.0 or later.

How to enable the release 10.1 upgrade

LINK TO ADVISORIES

NOTES


[Discoverers] Benny Husted, Cale Smith, Jared Arave

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us