An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php allows for an authenticated user to create a randomly named file on disk with a user-controlled extension, contents, and path, leading to remote code execution, aka Unrestricted File Upload.
Unitrends Enterprise Backup Remote Code Execution in restore.php File
Unitrends Enterprise Backup Remote Code Execution in systems.php File
Unitrends Enterprise Backup Privilege Escalation in users.php File
Unitrends Enterprise Backup Privilege Escalation in Token Cookie
Unitrends Enterprise Backup Local File Inclusion
Attack Complexity (AC)Low Privileges Required (PR)Low User Interaction (UI)None Scope (S)Unchanged
Confidentiality (C)High Integrity (I)High Availability (A)High