Sergio González González

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is related to a command injection vulnerability in the operating system, specifically due to improper neutralisation of special elements in Active Directory integration. This allows the intended command to be modified when sent to a downstream component. **Recommendations** For WBSAirback version 21.02.04, consider restricting access to the Active Directory integration component to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using special elements in commands sent to downstream components. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is related to a Cross-Site Request Forgery vulnerability, which could allow an attacker to create a manipulated HTML form to perform privileged actions once it is executed by a privileged user. **Recommendations** For WBSAirback version 21.02.04, consider disabling the execution of HTML forms from untrusted sources as a temporary workaround until a patch is available. Restrict access to privileged actions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue allows a user with low privileges to download files from the system due to a Path Traversal vulnerability in the Backup Agents section. **Recommendations** For WBSAirback version 21.02.04, consider restricting access to the Backup Agents section until a patch is available. As a temporary workaround, limit the privileges of users who can access this section to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue involves improper neutralisation of Server-Side Includes (SSI) through S3 Accounts, accessible via the "/admin/CloudAccounts" API endpoint. This could allow a remote user to execute arbitrary code. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the "/admin/CloudAccounts" API endpoint until a patch is available to prevent exploitation. Additionally, restrict the use of S3 Accounts to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue involves improper neutralisation of Server-Side Includes (SSI) through the Device NAS shared section, accessible via the `/admin/DeviceNAS` endpoint. This could allow a remote user to execute arbitrary code. **Recommendations** For WBSAirback version 21.02.04, consider restricting access to the `/admin/DeviceNAS` endpoint until a patch is available. As a temporary workaround, disabling the use of Server-Side Includes (SSI) in the Device NAS shared section may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue involves improper neutralisation of Server-Side Includes (SSI) through Device Synchronizations at the "/admin/DeviceReplication" API endpoint. This could allow a remote user to execute arbitrary code. **Recommendations** For WBSAirback version 21.02.04, consider disabling the Device Synchronizations feature at the "/admin/DeviceReplication" API endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue involves improper neutralisation of Server-Side Includes (SSI) through S3 disks, specifically at the `/admin/DeviceS3` endpoint. This could allow a remote user to execute arbitrary code, potentially leading to privilege escalation. **Recommendations** For WBSAirback version 21.02.04, assess the impact of this issue, patch the system, and monitor for signs of exploitation. As a temporary workaround, consider restricting access to the `/admin/DeviceS3` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue involves improper neutralisation of Server-Side Includes (SSI) through the License endpoint (/admin/CDPUsers), which could allow a remote user to execute arbitrary code. **Recommendations** For WBSAirback version 21.02.04, consider restricting access to the `/admin/CDPUsers` endpoint until a patch is available. As a temporary workaround, avoid using the License feature in the vulnerable version to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** White Bear Solutions WBSAirback version 21.02.04 **Description** The issue is related to uncontrolled resource consumption, which could be exploited by an attacker to influence the amount of resources consumed by sending multiple command injection payloads. **Recommendations** For version 21.02.04, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability. It occurs through the `/admin/SystemUsers` endpoint, specifically in the `login` and `description` fields, and the `passwd1` and `passwd2` parameters. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the `/admin/SystemUsers` endpoint until a patch is available. As a temporary workaround, restrict the use of the `login` and `description` fields, and the `passwd1` and `passwd2` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability. It occurs through the `/admin/SystemConfiguration` endpoint, specifically in the `name` and `free memory limit` fields, and the `type` and `password` parameters. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the `/admin/SystemConfiguration` endpoint until a patch is available. Restrict input for the `name` and `free memory limit` fields, as well as the `type` and `password` parameters, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability, which occurs through the `/admin/DeviceReplication` endpoint, specifically in the execution range field, and affects all parameters. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the `/admin/DeviceReplication` endpoint until a patch is available. As a temporary workaround, restrict the execution range field to minimize the risk of exploitation. Avoid using all parameters in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability. It occurs through the "/admin/CloudAccounts" API endpoint, specifically in the account name, `user password`, and `server` fields, affecting all parameters. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the "/admin/CloudAccounts" API endpoint until a patch is available. Additionally, restrict the use of the `account name`, `user password`, and `server` fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability that occurs through the `/admin/AdvancedSystem` endpoint, specifically in the description field, and affects all parameters. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the `/admin/AdvancedSystem` endpoint until a patch is available, and restrict the use of the description field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability that occurs through the `/admin/BackupTemplate` endpoint, specifically in the `name` and `description` fields. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, as a temporary workaround, consider restricting access to the `/admin/BackupTemplate` endpoint until a patch is available. Additionally, avoid using the `name` and `description` fields in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBSAirback version 21.02.04 **Description** The issue is a stored Cross-Site Scripting (XSS) vulnerability that occurs through the "/admin/BackupSchedule" endpoint, specifically in the description field. This could allow a remote user to send a specially crafted URL to the victim and steal their session data. **Recommendations** For WBSAirback version 21.02.04, consider disabling access to the "/admin/BackupSchedule" endpoint until a patch is available, and restrict the use of the description field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.