CVE-2017-7284

Name of the Vulnerable Software and Affected Versions Unitrends Enterprise Backup versions prior to 9.1.2

Description The issue allows an attacker who has hijacked a Unitrends Enterprise Backup web server session to change the password of the logged-in account without knowing the current password, enabling account takeover. The attacker can leverage the "api/includes/users.php" endpoint to achieve this.

Recommendations For versions prior to 9.1.2, update to version 9.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "api/includes/users.php" endpoint until a patch is applied.