An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full access to the system, as the configured user (e.g., Administrator).
Published 2019-07-26 21:15:12
Updated 2019-07-31 12:46:41
Source MITRE
View at NVD,   CVE.org

Products affected by CVE-2019-10267

Exploit prediction scoring system (EPSS) score for CVE-2019-10267

66.12%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2019-10267

  • Ahsay Backup v7.x-v8.1.1.50 (authenticated) file upload
    Disclosure Date: 2019-06-01
    First seen: 2020-04-26
    exploit/windows/misc/ahsay_backup_fileupload
    This module exploits an authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. To succesfully execute the upload credentials are needed, default on Ahsay Backup trial accounts are enabled so an account can be created. It can

CVSS scores for CVE-2019-10267

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.0
HIGH AV:N/AC:L/Au:S/C:C/I:C/A:C
8.0
10.0
NIST
8.8
HIGH CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

CWE ids for CVE-2019-10267

References for CVE-2019-10267

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!