Local File Inclusion (LFI) Vulnerability in Unitrends Enterprise Backup

Local File Inclusion (LFI) Vulnerability in Unitrends Enterprise Backup

CVE-2017-7282 · HIGH Severity

AV:N/AC:M/AU:N/C:C/I:N/A:N

An issue was discovered in Unitrends Enterprise Backup before 9.1.1. The function downloadFile in api/includes/restore.php blindly accepts any filename passed to /api/restore/download as valid. This allows an authenticated attacker to read any file in the filesystem that the web server has access to, aka Local File Inclusion (LFI).

Learn more about our Web App Pen Testing.