CVE-2019-10267

EPSS 75.8%

An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).

Affected products

n/a · n/a

public PoCs found — 4

cve_referencepacketstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.htmlunverified cve_referencepacketstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/47180unverified exploitdbwww.exploit-db.com/exploits/47179unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/153770/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.html http://packetstormsecurity.com/files/153771/Ahsay-Backup-7.x-8.x-File-Upload-Remote-Code-Execution.html https://www.wbsec.nl/ahsay/