In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges.
CPE | Name | Operator | Version |
---|---|---|---|
bdr_suite | lt | 4.2.0.1 | |
offsite_dr | lt | 4.2.0.1 |