Vulnerabilities > CVE-2019-10264 - XXE vulnerability in Ahsay Cloud Backup Suite

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

ahsay

CWE-611

NVD

Published: 2019-07-26

Updated: 2019-07-31

Summary

An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move / Import / Export Users" screen has an Import Users option. This option accepts a ZIP archive containing a users.xml file that can trigger XXE.

Vulnerable Configurations

Part	Description	Count
Application	Ahsay Ahsay Cloud Backup Suite 7.3.0.0 Ahsay Cloud Backup Suite 7.3.2.0 Ahsay Cloud Backup Suite 7.5.0.0 Ahsay Cloud Backup Suite 7.7.0.0 Ahsay Cloud Backup Suite 7.7.2.0 Ahsay Cloud Backup Suite 7.9.0.0 Ahsay Cloud Backup Suite 7.9.2.0 Ahsay Cloud Backup Suite 7.9.2.2 Ahsay Cloud Backup Suite 7.11.0.4 Ahsay Cloud Backup Suite 7.11.0.10 Ahsay Cloud Backup Suite 7.11.0.20 Ahsay Cloud Backup Suite 7.13.0.0 Ahsay Cloud Backup Suite 7.13.0.2 Ahsay Cloud Backup Suite 7.13.0.6 Ahsay Cloud Backup Suite 7.15.0.8 Ahsay Cloud Backup Suite 7.15.0.20 Ahsay Cloud Backup Suite 7.15.2.2 Ahsay Cloud Backup Suite 7.15.4.10 Ahsay Cloud Backup Suite 7.15.4.41 Ahsay Cloud Backup Suite 7.15.6.38 Ahsay Cloud Backup Suite 7.15.6.55 Ahsay Cloud Backup Suite 7.17.0.30 Ahsay Cloud Backup Suite 7.17.0.50 Ahsay Cloud Backup Suite 8.1.0.24 Ahsay Cloud Backup Suite 8.1.0.50	25

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.wbsec.nl/ahsay/