CVE-2017-7281

Severity CVSS v4.0:
Pending analysis
Type:
CWE-434 Unrestricted Upload of File with Dangerous Type
Publication date:
12/04/2017
Last modified:
20/04/2025

Description

An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php allows for an authenticated user to create a randomly named file on disk with a user-controlled extension, contents, and path, leading to remote code execution, aka Unrestricted File Upload.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:unitrends:enterprise_backup:*:*:*:*:*:*:*:* 9.1.1 (including)