CVE-2017-12478 – Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution

https://notcve.org/view.php?id=CVE-2017-12478

It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system. Se ha descubierto que la interfaz web api/storage en Unitrends Backup (UB) en versiones anteriores a la 10.0.0 tiene un problema por el cual uno de sus parámetros de entrada no fue validado. Un atacante remoto podría emplear este fallo para eludir la autenticación y ejecutar comandos arbitrarios con privilegios root en el sistema objetivo. It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. • https://www.exploit-db.com/exploits/42958 https://www.exploit-db.com/exploits/45559 https://www.exploit-db.com/exploits/43030 https://support.unitrends.com/UnitrendsBackup/s/article/000005756 https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756 https://support.unitrends.com/UnitrendsBackup/s/article/000006002 https://nvd.nist.gov/vuln/detail/CVE-2017-12478 http://blog.redactedsec.net/exploits/2018/01/29/UEB9.html • CWE-287: Improper Authentication •