The issues found were an unauthenticated sensitive Information disclosure via /gateway/services/EdgeServiceImpl, an unauthenticated XXE in /management/UdpHttpService, an unauthenticated sensitive information disclosure via /UDPUpdates/Config/FullUpdateSettings.xml and a Reflected cross-site scripting flaw via /authenticationendpoint/domain.jsp.
The two unauthenticated information disclosures and the external entity attack could be used by an attacker to gain access to a database and other credentials and to read files on the system hosting the UDP application without authentication. The reflected cross-site scripting issue could be used for phishing, Digital Defense reported.
Arcserve has fixed the issues and the patch needed to update a system is available from Arcserve support.
This article was first published in SC Media US.