CVE-2023-48682: Stored XSS Vulnerability in Unit Name Affecting Acronis Cyber Protect 16
A newly discovered vulnerability dubbed CVE-2023-48682 has been reported recently that affects Acronis Cyber Protect 16 (Linux, Windows) before build 37391. This vulnerability is a stored cross-site scripting (XSS) issue in the unit name field which can lead to various security risks when exploited. Before diving into the vulnerability, let us first understand Acronis Cyber Protect and stored cross-site scripting.
Acronis Cyber Protect is a comprehensive cybersecurity solution designed to safeguard critical data, applications, and systems. With features like integrated backup and recovery, AI-based anti-malware protection, and endpoint management, it aims to protect its users from modern threats.
Stored cross-site scripting (XSS) is a type of security vulnerability in web applications that allows an attacker to inject malicious scripts into web pages viewed by other users. The injected script is stored on the server and executed whenever the affected page is accessed by a user. This can lead to issues like stealing user's data, session hijacking, and unauthorized access to sensitive information.
Now let's delve deeper into the specifics of this vulnerability (CVE-2023-48682), its potential impact, and the recommended mitigation strategies.
Vulnerability Details
The vulnerability arises due to a lack of proper input validation and secure data output in the "unit name" field in Acronis Cyber Protect. This allows an attacker to inject malicious scripts in the form of a unit name, which will be stored on the server and executed whenever the page containing the unit name is accessed by other users.
Here's a code snippet demonstrating the vulnerability
// Attacker provides the malicious unit name
var maliciousUnitName = '<script>alert("XSS")</script>';
// The server saves the malicious unit name without proper sanitization
unitName = maliciousUnitName;
// Affected page contains the unit name without proper encoding
document.write(unitName);
When a user visits a page containing the affected unit name, the malicious script is executed, compromising the user's data and security.
Affected Products
This vulnerability affects Acronis Cyber Protect 16 (Linux, Windows) before build 37391.
Exploit
An attacker with access to the Acronis Cyber Protect platform could create or modify a unit name and add a malicious script. When the affected page containing the injected script is viewed by another user, the script is executed within their browser context.
The following links provide detailed information on the CVE-2023-48682 vulnerability, including the official Common Vulnerabilities and Exposures (CVE) database entry and the official Acronis Security Advisory:
- CVE-2023-48682 - National Vulnerability Database
- Acronis Security Advisory (ID: ASA-2023-001)
Mitigation
Users of Acronis Cyber Protect should update their software to the latest version (build 37391 or newer) to address this vulnerability. Meanwhile, Acronis has released a security patch that mitigates the risk associated with this vulnerability, which can be downloaded from their official website.
Moreover, Acronis advises adhering to secure coding practices, such as input validation, secure data output, and proper encoding of user-generated content, to avoid similar vulnerabilities in the future.
Conclusion
CVE-2023-48682 is a serious vulnerability that compromises the security of Acronis Cyber Protect users. By ensuring the software is up-to-date and following secure coding practices, organizations can mitigate the risk posed by this vulnerability and protect their critical data and systems.
Timeline
Published on: 02/27/2024 17:15:11 UTC
Last modified on: 02/28/2024 14:07:00 UTC