[Forgot Password]
Login  Register Subscribe

30481

 
 

423868

 
 

255116

 
 

909

 
 

198683

 
 

282

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2023-26258Date: (C)2023-07-04   (M)2023-11-10


Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute any task as administrator.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score :
Exploit Score: 3.9Exploit Score:
Impact Score: 5.9Impact Score:
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector:
Attack Complexity: LOWAccess Complexity:
Privileges Required: NONEAuthentication:
User Interaction: NONEConfidentiality:
Scope: UNCHANGEDIntegrity:
Confidentiality: HIGHAvailability:
Integrity: HIGH 
Availability: HIGH 
  
Reference:
https://support.arcserve.com/s/article/KB000015720?language=en_US
https://www.arcserve.com/products/arcserve-udp
https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/

CWE    1
CWE-863

© SecPod Technologies