CVE-2019-10267

high-risk
Published 2019-07-26

An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).

Do I need to act?

!
64.4% chance of exploitation in next 30 days
EPSS score — higher than 36% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
2 public exploits available
47180, 47179
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Ahsay

References (6)

Exploit http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Rem...
Exploit http://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Rem...
Exploit https://www.wbsec.nl/ahsay/
Exploit http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Rem...
Exploit http://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Rem...
Exploit https://www.wbsec.nl/ahsay/
61
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 26/34 · High
Exposure 5/34 · Minimal