CVE-2017-7281

Name of the Vulnerable Software and Affected Versions Unitrends Enterprise Backup versions prior to 9.1.2

Description An issue was discovered that allows an authenticated user to create a file on disk with a user-controlled extension, contents, and path due to a lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php, leading to remote code execution.

Recommendations For versions prior to 9.1.2, update to version 9.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the recoveryconsole/bpl/reports.php file to minimize the risk of exploitation. Avoid using the createReportName and saveReport functions until the issue is resolved.