Vulnerability Description
It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kaseya | Unitrends Backup | < 10.1 |
Related Weaknesses (CWE)
References
- https://support.unitrends.com/UnitrendsBackup/s/article/000001150Vendor Advisory
- https://support.unitrends.com/UnitrendsBackup/s/article/000006002Vendor Advisory
- https://www.exploit-db.com/exploits/44297/ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/45559/ExploitThird Party AdvisoryVDB Entry
- https://support.unitrends.com/UnitrendsBackup/s/article/000001150Vendor Advisory
- https://support.unitrends.com/UnitrendsBackup/s/article/000006002Vendor Advisory
- https://www.exploit-db.com/exploits/44297/ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/45559/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-6328?
CVE-2018-6328 is a vulnerability with a CVSS score of 9.8 (CRITICAL). It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into ...
How severe is CVE-2018-6328?
CVE-2018-6328 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-6328?
Check the references section above for vendor advisories and patch information. Affected products include: Kaseya Unitrends Backup.