7 matches found
CVE-2019-10263
CVE-2019-10263 affects Ahsay Cloud Backup Suite prior to 8.1.1.50. The initial description documents an XSS vulnerability in the Alias field during trial account creation that could lead to an admin cookie theft and account takeover. Multiple connected sources corroborate the Ahsay exposure and s...
CVE-2019-10267
CVE-2019-10267 affects Ahsay Cloud Backup Suite 8.1.0.50 . The vulnerability is an insecure file upload that allows placing a file in any server directory; an attacker can upload a JSP shell to the web root and execute it, resulting in full access to the system under the configured user (e.g., Ad...
CVE-2019-10266
Affected product: Ahsay Cloud Backup Suite prior to 8.1.1.50. Issue: unauthenticated, out-of-bounds XML input can trigger XML External Entity (XXE) processing, enabling an attacker to read file structures and contents from the server. Root cause: improper handling of XML input leading to informat...
CVE-2019-10264
The affected product is Ahsay Cloud Backup Suite prior to 8.1.1.50. With a valid administrator account, the Move / Import / Export Users screen’s Import Users option accepts a ZIP archive containing a users.xml file, which can trigger an XML External Entity (XXE) vulnerability. This impacts multi...
CVE-2019-10265
CVE-2019-10265 affects Ahsay Cloud Backup Suite prior to 8.1.1.50. The vulnerability exists on the /cbs/system/ShowAdvanced.do “File Explorer” screen, where input in the JavaScript code can change the directory to an arbitrary path (e.g., C:), enabling an attacker to browse the server filesystem....
CVE-2020-5846
The CVE-2020-5846 issue affects Ahsay Cloud Backup Suite 8.3.0.30. It describes an insecure file upload via PUT /obs/obm7/file/upload, where a base64-encoded pathname is supplied in the X-RSW-custom-encode-path header and the file contents in the request body. This allows uploading a file into an...
CVE-2022-37027
This CVE affects Ahsay AhsayCBS 9.1.4.0. An authenticated system user who can modify the Runtime Options in the web interface can inject arbitrary Java JVM options, which take effect after a restart. In the documented scenario, this can enable JMX services and lead to remote code execution as the...