CVE-2020-5846
CVE-2020-5846 is a high-severity vulnerability in Ahsay Cloud Backup Suite with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-434.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 4.0
- EPSS exploit prediction: 1% (69th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-434
- Affected product: Ahsay Cloud Backup Suite
- Published:
- Last modified:
Description
An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds.
Frequently asked questions
- What is CVE-2020-5846?
- An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.3.0.30 via a "PUT /obs/obm7/file/upload" request with the base64-encoded pathname in the X-RSW-custom-encode-path HTTP header, and the content in the HTTP request body. It is possible to upload a file into any directory of the server. One can insert a JSP shell into the web server's directory and execute it. This leads to full system access as the configured user (e.g., Administrator) when starting from any authenticated session (e.g., a trial account). This is fixed in the 83/830122/cbs-*-hotfix-task26000 builds.
- How severe is CVE-2020-5846?
- CVE-2020-5846 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-5846 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (69th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-5846?
- CVE-2020-5846 affects Ahsay Cloud Backup Suite. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-5846?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2020-5846 published?
- CVE-2020-5846 was published on 2020-01-06 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:ahsay:cloud_backup_suite:8.3.0.30:*:*:*:*:*:*:*
More vulnerabilities in Ahsay Cloud Backup Suite
- CVE-2019-10267 — High (CVSS 8.8): An insecure file upload and code execution issue was discovered in Ahsay Cloud Backup Suite 8.1.0.50. It is possible to…
- CVE-2019-10266 — High (CVSS 7.5): An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When sending an out-of-bounds XML document to a…
- CVE-2019-10265 — High (CVSS 7.5): An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. On the /cbs/system/ShowAdvanced.do "File Explorer"…
- CVE-2022-37027 — High (CVSS 7.2): Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject arbitrary Java JVM options. Administrators that…
- CVE-2019-10264 — High (CVSS 7.2): An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. With a valid administrator account, the "Move /…
- CVE-2019-10263 — Medium (CVSS 6.1): An issue was discovered in Ahsay Cloud Backup Suite before 8.1.1.50. When creating a trial account, it is possible to…
All CVEs affecting Ahsay Cloud Backup Suite →
Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-57700 — Critical (CVSS 10.0): Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This…
- CVE-2025-69129 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7…
- CVE-2026-40772 — Critical (CVSS 10.0): Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- CVE-2026-40412 — Critical (CVSS 10.0): Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →