PT-2013-3907 · Ithemes · Backupbuddy
Published
2013-04-02
·
Updated
2013-04-02
·
CVE-2013-2741
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
BackupBuddy plugin versions 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4
Description
The issue allows remote attackers to obtain sensitive information, or overwrite or delete files, via various vectors involving direct or step-specific requests to importbuddy.php. This is possible because the importbuddy.php file in the affected plugin does not require authentication to be enabled.
Recommendations
For BackupBuddy plugin version 1.3.4, update to a version that requires authentication for importbuddy.php.
For BackupBuddy plugin version 2.1.4, update to a version that requires authentication for importbuddy.php.
For BackupBuddy plugin version 2.2.25, update to a version that requires authentication for importbuddy.php.
For BackupBuddy plugin version 2.2.28, update to a version that requires authentication for importbuddy.php.
For BackupBuddy plugin version 2.2.4, update to a version that requires authentication for importbuddy.php.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Backupbuddy