Digital Defense VRT has revealed for zero-day vulnerabilities in Arcserve Unified Data Protection platform.
The issues found were an unauthenticated sensitive Information disclosure via /gateway/services/EdgeServiceImpl, an unauthenticated XXE in /management/UdpHttpService, an unauthenticated sensitive information disclosure via /UDPUpdates/Config/FullUpdateSettings.xml and a Reflected cross-site scripting flaw via /authenticationendpoint/domain.jsp.
The two unauthenticated information disclosures and the external entity attack could be utilized by an attacker to gain access to a database and other credentials and to read files on the system hosting the UDP application without authentication. The reflected cross-site scripting issue could be utilized for phishing purposes, Digital Defense reported.
Arcserve has fixed the issues and the patch needed to update a system is available from Arcserve support.
