CVE-2019-10267

EUVD-2019-2270
An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
ahsaycloud_backup_suite
7.7.0.0 ≤
𝑥
< 8.1.1.50
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.html
http://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.html
https://www.wbsec.nl/ahsay/
http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.html
http://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.html
https://www.wbsec.nl/ahsay/