Quest NetVault Backup Server < 14.0.2 Multiple Vulnerabilities

high Nessus Plugin ID 324563

Synopsis

The remote backup server is affected by multiple vulnerabilities.

Description

The version of Quest NetVault Backup Server running on the remote host is prior to 14.0.2. It is, therefore, affected by multiple vulnerabilities, including:

- A cross-site scripting vulnerability in the viewclient webpage that allows remote attackers to bypass authentication. User interaction is required. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM. (CVE-2026-7569)

- A cross-site scripting vulnerability in the addclient3 webpage that allows remote attackers to bypass authentication. User interaction is required. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM. (CVE-2026-9780)

- A command injection vulnerability in NVBULogDaemon JSON-RPC message processing that allows remote attackers to execute arbitrary code in the context of SYSTEM. Although authentication is required, the existing authentication mechanism can be bypassed. (CVE-2026-9787)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Quest NetVault Backup Server version 14.0.2 or later.

See Also

http://www.nessus.org/u?8f42a3f2

Plugin Details

Severity: High

ID: 324563

File Name: quest_netvault_backup_14_0_2.nasl

Version: 1.1

Type: Remote

Family: Misc.

Published: 7/1/2026

Updated: 7/1/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.97

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-7569

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:quest:netvault_backup

Required KB Items: installed_sw/Quest NetVault Backup Server

Patch Publication Date: 6/24/2026

Vulnerability Publication Date: 6/24/2026

Reference Information

CVE: CVE-2026-7569, CVE-2026-7570, CVE-2026-9780, CVE-2026-9781, CVE-2026-9782, CVE-2026-9783, CVE-2026-9784, CVE-2026-9785, CVE-2026-9786, CVE-2026-9787