Rhino Security Labs

Unitrends Enterprise Backup Local File Inclusion

Vulnerability Details

CVSS Rating: 5.5 (medium)


Disclosing Company: Rhino Security Labs

Date: 04/19/2017

Status: Published

Affected software/version:
Unitrends Enterprise Backup < 9.1.1


Disclosure Date


Vulnerability Description

An issue was discovered in Unitrends Enterprise Backup before 9.1.1. The function downloadFile in api/includes/restore.php blindly accepts any filename passed to /api/restore/download as valid. This allows an authenticated attacker to read any file in the filesystem that the web server has access to, aka Local File Inclusion (LFI).

CVSS Metrics

CVSS Rating (version 3.0)

5.5 (Medium)

Impact Score

Exploitability Score



Attack Vector

Local File Inclusion

Attack Complexity (AC)Low Privileges Required (PR)None User Interaction (UI)Required Scope (S)Unchanged

Confidentiality (C)High Integrity (I)None Availability (A)None