Acronis Program Statistics

View program

119 total issues disclosed

$15,287 total paid publicly

Most disclosed (25 disclosures) — Privilege Escalation

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
[oem.acronis.com] Reflected Cross Site Scripting Cross-site Scripting (XSS) - Reflected darkdream Medium 2024-12-28
IP restriction bypass via X-Forwarded-For header Forced Browsing mrityushell Low 2024-12-05
Rate limit bypass on passport.acronis.work using X-Forwarded-For request header None supplied analyz3r Medium 2024-11-28
Reflected XSS in https://www.acronis.com/products/cyber-protect/trial/ Cross-site Scripting (XSS) - Reflected tomblorg Low 2024-11-20
IDOR in backup recovery functionality None supplied theelgo64 High 2024-11-13
Potential XSS Vulnerability in Acronis Login Callback URL Cross-site Scripting (XSS) - Generic kindone High 2024-11-06
Potential XSS in redirect_url Parameter Cross-site Scripting (XSS) - Reflected kindone Medium 2024-11-06
Bypassing Recaptcha Protection in `https://connect.acronis.com` Violation of Secure Design Principles regexr Low 2024-10-30
Blind XSS on admin.acronis.com via delete account form on account.acronis.com Cross-site Scripting (XSS) - Stored mubassirpatel High 2024-10-30
[forum.acronis.com] JNDI Code Injection due an outdated log4j component OS Command Injection godiego Critical 2024-08-28
[CVE-2021-44228] Arbitrary Code Execution on ng01-cloud.acronis.com None supplied mikkocarreon Critical 2024-08-28
SQL injection in https://demor.adr.acronis.com/ via the username parameter SQL Injection mmg High 2024-08-28
Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - systeminfo.exe utility Privilege Escalation mmg Medium 2024-08-27
Local Privilege Escalation and Code Execution when restoring files from Quarantine Privilege Escalation z3ron3 Medium 2024-08-27
Blind SSRF vulnerability on cz.acronis.com Server-Side Request Forgery (SSRF) cabelo Medium 2024-08-27
Local Privilege Escalation when updating Acronis True Image Privilege Escalation z3ron3 Medium 2024-08-27
Local Privilege Escalation using System Clean-up functionality Privilege Escalation z3ron3 Medium 2024-08-27
Local Privilege Escalation via Backup delete Privilege Escalation z3ron3 Medium 2024-08-27
Reflected XSS on www.acronis.com/de-de/my/subscriptions/index.html Cross-site Scripting (XSS) - Reflected cabelo Low 2024-08-27
Arbitrary Files and Folders Deletion vulnerability with Acronis Managed Machine Service Privilege Escalation mmg Medium 2024-08-27
TrueImage for Acronis True Image 2020 - Untrusted DLL Search-Ordering lead to Privilege Escalation as Administrative account Privilege Escalation vanitas Medium 2024-08-27
Acronis True Image 2020 Build 22510 Nonstop Backup Service Unquoted service path (privilege escalation) Privilege Escalation sanderz31 Low 2024-08-27
DLL Hijacking when creating Rescue Media Builder leading to Privilege Escalation Privilege Escalation z3ron3 Medium 2024-08-27
DLL Hijacking when sending feedback and crash report leading to Privilege Escalation Privilege Escalation z3ron3 Medium 2024-08-27
Local Privilege Escalation via EXE hijacking with Acronis True Image 2021 - Acronis Scheduler2 Service Privilege Escalation mmg Low 2024-08-27
Local Privilege Escalation via EXE hijacking with Acronis True Image 2021 installer Privilege Escalation mmg Low 2024-08-27
Credentials leaked via Github Use of Hard-coded Credentials sheikh_chilli Medium 2024-08-26
Large Amounts of Back-End Acronis Source Code is Publicly Accessible Information Exposure Through Directory Listing shadowmap Medium 2024-08-26
XSS in https://promo.acronis.com/ Cross-site Scripting (XSS) - DOM yash_ Low 2024-08-26
CSRF and XSS on www.acronis.com Cross-site Scripting (XSS) - Reflected cabelo Low 2024-08-26
Cross Site Scripting (Reflected) on https://www.acronis.cz/dotaznik/roadshow-2020/ Cross-site Scripting (XSS) - Reflected darkdream Low 2024-08-26
Local Privilege Escalation when deleting a file from Quarantine Privilege Escalation z3ron3 Medium 2024-08-26
Acronis Sync Agent Service - Untrusted DLL Search-Ordering lead to Privilege Escalation Privilege Escalation vanitas Medium 2024-08-26
DLL Hijacking when performing operations in Acronis Secure Zone partition leading to Privilege Escalation Privilege Escalation z3ron3 Medium 2024-08-26
Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - tibxread.exe utility Privilege Escalation mmg Medium 2024-08-26
Stored XSS in plan name field (Acronis Cyber Protect) Cross-site Scripting (XSS) - Stored und3sc0n0c1d0 Medium 2023-10-09
Missing brute force protection on login page on www.acronis.com Improper Restriction of Authentication Attempts brazil1 No rating 2023-08-30
Delete any user's added Email,Telephone,Fax,Address,Skype via csrf in (https://academy.acronis.com/) None supplied imranhudaa Low 2023-04-25
Cross Origin Resource Sharing Misconfiguration Improper Access Control - Generic parshwa_21 Medium 2023-01-10
mysql credentials exposed on - https://cz.acronis.com/docker-compose.yml Insufficiently Protected Credentials melar_dev Low 2022-12-24
XSS in Acronis Cloud Manager Admin Portal Cross-site Scripting (XSS) - Generic mooimacow Medium 2022-12-02
Open redirect at mc-beta-cloud-acronis.com Open Redirect angeltsvetkov None 2022-11-15
CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud Cross-site Scripting (XSS) - DOM mr-medi Medium 2022-11-04
mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040 Server-Side Request Forgery (SSRF) bbece5b1ea2cbb33d0690ad Critical 2022-10-13
Any expired reset password link can still be used to reset the password Improper Access Control - Generic m4rc10sz Low 2022-09-01
Read-only administrator can change agent update settings Improper Access Control - Generic hacker1_agent Medium 2022-08-10
Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification Privilege Escalation vkas-afk High 2022-07-28
HTML Injection in E-mail Not Resolved () None supplied thewikiii Medium 2022-07-19
unauth mosquitto ( client emails, ips, license keys exposure ) Improper Access Control - Generic second_grade_pentester Medium 2022-07-18
CVE-2021-40438 on cp-eu2.acronis.com Server-Side Request Forgery (SSRF) savik High 2022-07-13
[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day Deserialization of Untrusted Data rhinestonecowboy Critical 2022-07-13
HTML Injection in E-mail None supplied hacker1_agent Low 2022-06-14
Reflected Cross Site Scripting at ColdFusion Debugging Panel http://www.grouplogic.com/CFIDE/debug/cf_debugFr.cfm Cross-site Scripting (XSS) - Reflected ub3rsick Low 2022-06-14
Reflected Cross Site Scripting at http://www.grouplogic.com/files/glidownload/verify3.asp [Uppercase Filter Bypass] Cross-site Scripting (XSS) - Reflected ub3rsick Low 2022-06-14
Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm Improper Access Control - Generic ub3rsick Medium 2022-06-07
Stored Cross Site Scripting at http://www.grouplogic.com/ADMIN/store/index.cfm?fa=disprocode Cross-site Scripting (XSS) - Stored ub3rsick Medium 2022-06-07
Self XSS in attachments name None supplied hacker1_agent Low 2022-05-31
Self-DoS due to template injection via email field in password reset form on access.acronis.com None supplied sudo_bash None 2022-05-03
Session Fixation on Acronis Session Fixation hatnare Medium 2022-03-01
FULL SSRF Server-Side Request Forgery (SSRF) lu3ky-13 Low 2022-02-22
Cross-site Scripting (XSS) - Stored | forum.acronis.com Cross-site Scripting (XSS) - Stored quadrant Medium 2022-02-08
Stored Cross-site Scripting on devicelock.com/forum/ Cross-site Scripting (XSS) - Stored h4x0r_dz Medium 2022-02-08
Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com Privilege Escalation ashmek High 2022-02-08
Attacker Can Access to any Ticket Support on https://www.devicelock.com/support/ Improper Access Control - Generic h4x0r_dz Medium 2022-02-08
Information Disclosure via ZIP file on AWS Bucket [http://acronis.1.s3.amazonaws.com] Information Disclosure h4x0r_dz Medium 2022-02-08
%0A (New line) and limitness URL leads to DoS at all system [Main adress (https://www.acronis.com/)] Uncontrolled Resource Consumption plantos Low 2022-01-04
admin password disclosure via log file Information Disclosure darkdream Medium 2021-12-21
IDOR vulnerability (Price manipulation) Insecure Direct Object Reference (IDOR) spookhorror Medium 2021-11-30
Cross Site Scripting (Reflected) on https://www.acronis.cz/ Cross-site Scripting (XSS) - Reflected darkdream Low 2021-11-17
HTTP Request Smuggling on https://promosandbox.acronis.com HTTP Request Smuggling riramar Low 2021-11-16
HTTP Request Smuggling on https://consumer.acronis.com HTTP Request Smuggling riramar Low 2021-11-16
Stored XSS in profile page Cross-site Scripting (XSS) - Stored darkdream Medium 2021-11-14
Subdomain takeover of main domain of https://www.cyberlynx.lu/ Privilege Escalation doosec101 Medium 2021-10-12
bypass sql injection #1109311 SQL Injection lu3ky-13 Medium 2021-10-05
Domain does not Match SSL Certificate None supplied skimask Medium 2021-10-05
No server side check on terms of service page which leads to bypass Client-Side Enforcement of Server-Side Security hackipy Medium 2021-10-05
XSS Stored in Cacheable response Cross-site Scripting (XSS) - Stored dj4ng0d2 Medium 2021-09-05
IDOR on www.acronis.com API lead to steal private business user information Insecure Direct Object Reference (IDOR) f_m Medium 2021-08-31
Possible LDAP username and password disclosed on Github Information Disclosure vovohelo Medium 2021-08-17
[acronis.secure.force.com] - Insecure Salesforce default/custom object permissions leads to information disclosure Information Disclosure amsda Low 2021-08-17
SQL Injection in agent-manager SQL Injection bourbon High 2021-08-16
Acronis True Image 2021 (windows) does not validate server hostname on a login TLS connection Improper Certificate Validation aapo High 2021-08-10
Local privilege escalation via insecure MSI file Privilege Escalation twvyy3vyaw8k High 2021-08-07
Acronis True Image (Windows) does not validate server certificate on a TLS connection Improper Certificate Validation aapo High 2021-08-05
Blind Stored XSS in https://partners.acronis.com/admin which lead to sensitive information/PII leakage Cross-site Scripting (XSS) - Stored mansishah High 2021-07-29
Reflected XSS via "Error" parameter on https://admin.acronis.com/admin/su/ Cross-site Scripting (XSS) - Reflected samincube Medium 2021-07-19
No Rate Limit On Forgot Password Page Improper Access Control - Generic bcbc04131e9a7775cc46c97 Medium 2021-07-09
Self XSS on Acronis Cyber Cloud Cross-site Scripting (XSS) - Generic sbakhour Low 2021-06-28
Stored XSS in backup scanning plan name Cross-site Scripting (XSS) - Stored sbakhour Medium 2021-06-28
XSS in (Support Requests) : User Cases Cross-site Scripting (XSS) - Stored soulx01 Medium 2021-06-24
anti_ransomware_service.exe REST API does not require authentication Missing Authentication for Critical Function mjoensen Medium 2021-06-24
No brute force protection on web-api-cloud.acronis.com Brute Force hensis Low 2021-06-24
Denial of Service in anti_ransomware_service.exe via logs files Uncontrolled Resource Consumption mjoensen Medium 2021-06-24
Local Privilege Escalation in anti_ransomware_service.exe via quarantine Privilege Escalation mjoensen Medium 2021-06-24
Local File Disclosure /Delete On [us-az-vpn.acronis.com] Path Traversal 10nf Medium 2021-06-22
Reflected XSS on my.acronis.com Cross-site Scripting (XSS) - Generic f_m Low 2021-06-22
Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress Cross-site Scripting (XSS) - Reflected cabelo Medium 2021-06-22
SQL injection on admin.acronis.host development web service SQL Injection stealthy High 2021-06-22
Subdomain Takeover – www.jet.acronis.com pointing to unclaimed Webflow services Privilege Escalation sumgr0 Low 2021-06-18
Subdomain Takeover – jet.acronis.com pointing to unclaimed Webflow services Privilege Escalation sumgr0 Low 2021-06-18
XSS on https://partners.acronis.com/ Cross-site Scripting (XSS) - DOM yash_ Low 2021-06-17
Web cache poisoning at www.acronis.com Violation of Secure Design Principles 9529 Medium 2021-06-17
Account Takeover on unverified emails in File Sync & Share Violation of Secure Design Principles 0xcrypto Medium 2021-06-16
SQL injection in https://www.acronis.cz/ via the log parameter SQL Injection mmg Medium 2021-06-11
Stored XSS in Acronis Cyber Protect Console Cross-site Scripting (XSS) - Stored sbakhour Medium 2021-06-10
Flash Based Reflected XSS on www.grouplogic.com/jwplayer/player.swf Cross-site Scripting (XSS) - Reflected ali Low 2021-04-13
Reflected XSS on http://www.grouplogic.com/files/glidownload/verify.asp Cross-site Scripting (XSS) - Reflected ali Low 2021-04-13
Reflected XSS on www.grouplogic.com/video.asp Cross-site Scripting (XSS) - Reflected ali Low 2021-04-13
Account Confirmation bypass leads to acess some fucntionality Improper Access Control - Generic atikna Medium 2021-03-30
Arbitrary file creation via symlink attack on syncagentsrv (Acronis Sync Agent Service) Privilege Escalation adr High 2021-03-16
Unrestricted file upload vulnerability in IMCE Remote File Inclusion bughunter_h1_bughunter Medium 2021-03-16
ClickJacking UI Redressing (Clickjacking) salna_kuruvi High 2021-03-16
Ticket Trick at https://account.acronis.com Improper Access Control - Generic sayaanalam High 2020-11-10
Clickjacking on cas.acronis.com login page UI Redressing (Clickjacking) dgirlwhohacks Low 2020-11-03
DOM based XSS in store.acronis.com/<id>/purl-corporate-standard-IT [cfg parameter] None supplied f_m Low 2020-10-20
Arbitrary DLL injection in mmsminisrv (Acronis Managed Machine Service Mini) Privilege Escalation adr High 2020-10-20
Get ip and Geo location any user via Clickjacking with inspectlet technology Information Disclosure abosala7 None 2020-10-15
Missing rate limit for current password field (Password Change) Account Takeover Brute Force full109tun Medium 2020-10-06
Content Spoofing Phishing full109tun None 2020-08-12