In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass.
This vulnerability was identified and reported by a security researcher, Cale Smith of EasyShell Security.
Kaseya/Unitrends remediated the vulnerability by changing the execution of a dynamic SQL statement to a parameterized execution. Additionally, standardized input sanitization is being applied to the formally vulnerable parameter.
Remediation TimeframeReport Received: January 22, 2022
Patch Released: February 4, 2020
Fix Version: Recovery Series 10.4.1
Customer RemediationAll customers should upgrade their Unitrends Backup instances to Version 10.4.1 or later.
LINK TO ADVISORIES
Version 10.4.1 Release Notes: