CVE ID
CVE-2020-8427
DESCRIPTION
In Unitrends Backup before 10.4.1, an HTTP request parameter was not properly sanitized, allowing for SQL injection that resulted in an authentication bypass.
This vulnerability was identified and reported by a security researcher, Cale Smith of EasyShell Security.
RESOLUTION
Kaseya/Unitrends remediated the vulnerability by changing the execution of a dynamic SQL statement to a parameterized execution. Additionally, standardized input sanitization is being applied to the formally vulnerable parameter.
Remediation Timeframe
Report Received: January 22, 2022Patch Released: February 4, 2020
Fix Version: Recovery Series 10.4.1
Customer Remediation
All customers should upgrade their Unitrends Backup instances to Version 10.4.1 or later.LINK TO ADVISORIES
NOTES
Related Links
Version 10.4.1 Release Notes:
https://helpdesk.kaseya.com/hc/en-gb/articles/4407523540625