Unrestricted File Upload Vulnerability in Unitrends Enterprise Backup

Unrestricted File Upload Vulnerability in Unitrends Enterprise Backup

CVE-2017-7281 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php allows for an authenticated user to create a randomly named file on disk with a user-controlled extension, contents, and path, leading to remote code execution, aka Unrestricted File Upload.

Learn more about our User Device Pen Test.