VYPR

Cloud Backup Suite

by Ahsay

CVEs (6)

  • CVE-2019-10267HigJul 26, 2019
    risk 0.66cvss 8.8epss 0.76

    An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the…

  • CVE-2020-5846HigJan 6, 2020
    risk 0.57cvss 8.8epss 0.01

    An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible…

  • CVE-2019-10266HigJul 26, 2019
    risk 0.53cvss 7.5epss 0.13

    An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a URL, it is possible to read the file structure and even the content of files without authentication.

  • CVE-2019-10265HigJul 26, 2019
    risk 0.49cvss 7.5epss 0.03

    An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. On the /cbs/system/ShowAdvanced.do "File Explorer" screen, it is possible to change the directory in the JavaScript code. If changed to (for example) "C:" then one can browse the whole server.

  • CVE-2019-10264HigJul 26, 2019
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.

  • CVE-2019-10263MedJul 26, 2019
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When creating a trial account, it is possible to inject XSS in the Alias field, allowing the attacker to retrieve the admin's cookie and take over the account.