Ahsay: >> Cloud Backup Suite >> 7.15.4.10 Security Vulnerabilities
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When creating a trial account, it is possible to inject XSS in the Alias field, allowing the attacker to retrieve the admin's cookie and take over the account.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-07-26
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.
CVSS Score
7.2
EPSS Score
0.005
Published
2019-07-26
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. On the /cbs/system/ShowAdvanced.do "File Explorer" screen, it is possible to change the directory in the JavaScript code. If changed to (for example) "C:" then one can browse the whole server.
CVSS Score
7.5
EPSS Score
0.007
Published
2019-07-26
An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.
CVSS Score
7.5
EPSS Score
0.355
Published
2019-07-26
An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).
CVSS Score
8.8
EPSS Score
0.662
Published
2019-07-26