8 results (0.003 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

Arcserve UDP prior to 9.2 contains a path traversal vulnerability in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed. Arcserve UDP anterior a 9.2 contiene una vulnerabilidad de Path Traversal en com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). Un atacante remoto no autenticado puede aprovecharlo para cargar archivos arbitrarios en cualquier ubicación del sistema de archivos donde esté instalado el agente UDP. • https://www.tenable.com/security/research/tra-2023-37 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

An authentication bypass exists in Arcserve UDP prior to version 9.2. An unauthenticated, remote attacker can obtain a valid authentication identifier that allows them to authenticate to the management console and perform tasks that require authentication. Existe una omisión de autenticación en Arcserve UDP antes de la versión 9.2. Un atacante remoto no autenticado puede obtener un identificador de autenticación válido que le permita autenticarse en la consola de administración y realizar tareas que requieran autenticación. • https://www.tenable.com/security/research/tra-2023-37 • CWE-287: Improper Authentication •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

Arcserve UDP prior to 9.2 contained a vulnerability in the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface. A routine exists that allows an attacker to upload and execute arbitrary files. Arcserve UDP anterior a 9.2 contenía una vulnerabilidad en la interfaz com.ca.arcflash.rps.webservice.RPSService4CPMImpl. Existe una rutina que permite a un atacante cargar y ejecutar archivos arbitrarios. • https://www.tenable.com/security/research/tra-2023-37 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator. • https://github.com/mdsecactivebreach/CVE-2023-26258-ArcServe https://support.arcserve.com/s/article/KB000015720?language=en_US https://www.arcserve.com/products/arcserve-udp https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup • CWE-863: Incorrect Authorization •

CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0

An issue was discovered in Arcserve Unified Data Protection (UDP) through 6.5 Update 4. There is a DDI-VRT-2018-19 Unauthenticated XXE in /management/UdpHttpService issue. Se ha descubierto un problema en Arcserve Unified Data Protection (UDP) hasta la versión 6.5 Update 4. Hay XEE (XML External Entity) no autenticado en DDI-VRT-2018-19 en /management/UdpHttpService. • https://exchange.xforce.ibmcloud.com/vulnerabilities/152033 https://support.arcserve.com/s/article/360001392563?language=en_US https://support.arcserve.com/s/article/Security-vulnerabilities-with-Arcserve-UDP-and-fixes-for-them?language=en_US https://www.digitaldefense.com/blog/zero-day-alerts/arcserve-disclosure • CWE-611: Improper Restriction of XML External Entity Reference •