Ahsay Cloud Backup vulnerabilities

AhsayCBS is a server component to be installed on a physical server or virtual machine. It comes with a web based central management console for system administrator to easily manage the whole backup system, as well as all AhsayOBM / AhsayACB backup users and their backup data through any web browser. Users can also login to the User Web Console to manage backup set, perform backup/restore and monitor live activities.

Users’ backup data can be hosted on AhsayCBS internal storage, FTP / SFTP server, and cloud storage (e.g. Amazon S3, Google Cloud Storage, Microsoft Azure, etc.).

https://www.rapid7.com/db/modules/exploit/windows/misc/ahsay_backup_fileupload
https://www.exploit-db.com/exploits/47180
https://www.exploit-db.com/exploits/47179
https://www.exploit-db.com/exploits/47181
Hotfix - https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_hotfix-v8

2019

CVE-2019-10263 - Stored Cross Site Scripting (XSS) Jul 26
CVE-2019-10264 - XML External Entity (XXE) Jul 26
CVE-2019-10265 - Path Traversal Jul 26
CVE-2019-10266 - unauthenticated XML External Entity (XXE) Jul 26
CVE-2019-10267 - File Upload Jul 26