Vulnerabilities > CVE-2019-10264 - XXE vulnerability in Ahsay Cloud Backup Suite

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

ahsay

CWE-611

NVD

Published: 2019-07-26

Updated: 2019-07-31

Summary

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.

Vulnerable Configurations

Part	Description	Count
Application	Ahsay Ahsay Cloud Backup Suite 7.3.0.0 Ahsay Cloud Backup Suite 7.3.2.0 Ahsay Cloud Backup Suite 7.5.0.0 Ahsay Cloud Backup Suite 7.7.0.0 Ahsay Cloud Backup Suite 7.7.2.0 Ahsay Cloud Backup Suite 7.9.0.0 Ahsay Cloud Backup Suite 7.9.2.0 Ahsay Cloud Backup Suite 7.9.2.2 Ahsay Cloud Backup Suite 7.11.0.4 Ahsay Cloud Backup Suite 7.11.0.10 Ahsay Cloud Backup Suite 7.11.0.20 Ahsay Cloud Backup Suite 7.13.0.0 Ahsay Cloud Backup Suite 7.13.0.2 Ahsay Cloud Backup Suite 7.13.0.6 Ahsay Cloud Backup Suite 7.15.0.8 Ahsay Cloud Backup Suite 7.15.0.20 Ahsay Cloud Backup Suite 7.15.2.2 Ahsay Cloud Backup Suite 7.15.4.10 Ahsay Cloud Backup Suite 7.15.4.41 Ahsay Cloud Backup Suite 7.15.6.38 Ahsay Cloud Backup Suite 7.15.6.55 Ahsay Cloud Backup Suite 7.17.0.30 Ahsay Cloud Backup Suite 7.17.0.50 Ahsay Cloud Backup Suite 8.1.0.24 Ahsay Cloud Backup Suite 8.1.0.50	25

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.wbsec.nl/ahsay/