CVE-2020-8427

Name of the Vulnerable Software and Affected Versions Unitrends Backup versions prior to 10.4.1 Kaseya Traverse versions prior to 9.5.20

Description The issue involves improper sanitization of an HTTP request parameter, allowing for SQL injection and authentication bypass. Additionally, there is a concern with OS command injection attacks against user accounts, associated with a Netflow Top Applications reporting API call. This can be exploited by an authenticated attacker who submits a modified JSON field within POST data to a specific API endpoint.

Recommendations For Unitrends Backup versions prior to 10.4.1, update to version 10.4.1 or later to resolve the issue. For Kaseya Traverse versions prior to 9.5.20, update to version 9.5.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the Netflow Top Applications reporting API call until a patch is available. Avoid using modified JSON fields within POST data to minimize the risk of exploitation.