CVE-2023-48682 in Cyber Protectinfo

Summary

by MITRE • 02/27/2024

Stored cross-site scripting (XSS) vulnerability in unit name. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/07/2025

This stored cross-site scripting vulnerability exists within Acronis Cyber Protect 16 software across both Linux and Windows platforms prior to build 37391. The flaw specifically manifests in the handling of unit names where user-supplied input is not properly sanitized before being stored and subsequently rendered in web interfaces. This vulnerability falls under the CWE-079 category of Cross-Site Scripting and represents a classic stored XSS attack vector where malicious scripts can be persistently injected into the application's database and executed whenever affected pages are accessed by other users.

The technical implementation of this vulnerability allows an attacker to inject malicious JavaScript code through the unit name field which serves as an entry point for persistent script execution. When administrators or other users view the affected unit names in the web interface, the stored scripts execute in their browsers, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability stems from insufficient input validation and output encoding mechanisms within the application's data handling processes, particularly in how the system processes and displays user-provided unit identifiers.

The operational impact of this vulnerability is significant as it enables attackers to compromise user sessions and potentially escalate privileges within the Acronis Cyber Protect environment. An attacker could craft malicious unit names containing script payloads that would execute in the context of other users' browsers, creating a persistent threat that remains active until the affected software is updated. This vulnerability particularly affects administrators who frequently interact with unit names in the management interface, making it a high-value target for exploitation. The attack chain typically involves initial access through unit name manipulation followed by script execution in victim browsers, which aligns with ATT&CK technique T1531 for Account Access Removal and T1059.007 for Command and Scripting Interpreter.

Mitigation strategies should focus on immediate software updates to build 37391 or later versions where the XSS vulnerability has been patched. Organizations should implement proper input sanitization and output encoding mechanisms for all user-supplied data, particularly in fields that are stored and subsequently rendered. Network segmentation and monitoring of administrative interfaces can help detect anomalous unit name creation patterns. The vulnerability demonstrates the importance of secure coding practices and input validation as outlined in OWASP Top Ten A03:2021 - Injection and the CWE-79 remediation guidelines. Regular security assessments and code reviews should be conducted to identify similar input handling vulnerabilities in other application components. Additionally, implementing Content Security Policy headers and using security libraries for input validation can provide additional defense-in-depth measures against similar stored XSS threats in the broader application ecosystem.

Reservation

11/17/2023

Disclosure

02/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00334

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!