CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0801 – Unauthenticated DoS in Arcserve Unified Data Protection
https://notcve.org/view.php?id=CVE-2024-0801
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll. Existe una vulnerabilidad de denegación de servicio en Arcserve Unified Data Protection 9.2 y 8.1 en ASNative.dll. • https://www.tenable.com/security/research/tra-2024-07 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0800 – Authentication Bypass via wizardLogin in Arcserve Unified Data Protection
https://notcve.org/view.php?id=CVE-2024-0800
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. Existe una vulnerabilidad de path traversal en Arcserve Unified Data Protection 9.2 y 8.1 en edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. • https://www.tenable.com/security/research/tra-2024-07 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0799 – Authentication Bypass via wizardLogin in Arcserve Unified Data Protection
https://notcve.org/view.php?id=CVE-2024-0799
An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. Existe una vulnerabilidad de omisión de autenticación en Arcserve Unified Data Protection 9.2 y 8.1 en la función edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() dentro de WizardLogin. • https://www.tenable.com/security/research/tra-2024-07 • CWE-287: Improper Authentication •
CVSS: 9.4EPSS: 80%CPEs: 1EXPL: 0CVE-2015-4068 – Arcserve Unified Data Protection (UDP) Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2015-4068
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet. Vulnerabilidad de salto de directorio en Arcserve UDP anterior a 5.0 Update 4 permite a atacantes remotos obtener información sensible o causar una denegación de servicio a través de una ruta de fichero manipulada en el servlet (1) reportFileServlet o (2) exportServlet. This vulnerability allows remote attackers to disclose and delete files on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability. The specific flaw exists within the exportServlet servlet. The issue lies in the failure to sanitize the path of files requested. • http://documentation.arcserve.com/Arcserve-UDP/Available/V5/ENU/Bookshelf_Files/HTML/Update%204/UDP_Update4_ReleaseNotes.html http://www.securityfocus.com/bid/74845 http://www.zerodayinitiative.com/advisories/ZDI-15-241 http://www.zerodayinitiative.com/advisories/ZDI-15-242 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 90%CPEs: 1EXPL: 0CVE-2015-4069 – Arcserve Unified Data Protection Management Service EdgeServiceImpl getBackupPolicies Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2015-4069
The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method. El servicio web EdgeServiceImpl en Arcserve UDP anterior a 5.0 Update 4 permite a atacantes remotos obtener información sensible a través de una solicitud SOAP manipulada al método (1) getBackupPolicy o (2) getBackupPolicies. This vulnerability allows remote attackers to disclose information on vulnerable installations of Arcserve Unified Data Protection. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getBackupPolicies method of the EdgeServiceImpl web service. By sending a crafted SOAP request, this method will return an individual application's backup policies which contains sensitive credentials. • http://documentation.arcserve.com/Arcserve-UDP/Available/V5/ENU/Bookshelf_Files/HTML/Update%204/UDP_Update4_ReleaseNotes.html http://www.securityfocus.com/bid/74838 http://www.zerodayinitiative.com/advisories/ZDI-15-243 http://www.zerodayinitiative.com/advisories/ZDI-15-244 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •