CVE-2023-45498

Name of the Vulnerable Software and Affected Versions Vinchin Backup & Recovery versions 5.0.* through 7.0.*

Description The issue is related to a lack of input data sanitization, which can allow a remote attacker to execute arbitrary commands. This is a command injection vulnerability. The estimated number of potentially affected devices is not provided, and there is no information about real-world incidents where this issue was exploited.

Recommendations For versions 5.0.* through 7.0.*, upgrade to version 7.2.0 to mitigate the issue. As a temporary workaround, consider restricting access to API endpoints that may be vulnerable to command injection until a patch is available. Avoid using hard-coded credentials in API ACLs to minimize the risk of exploitation.