Qnap Multiple Vulnerabillities Network Vulnerability

Summary

QNAP VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS contains multiple vulnerabilities. 1. Improper Access Control VioStor NVR firmware version 4.0.3 and possibly earlier versions and QNAP NAS with the Surveillance Station Pro activated contains a hardcoded guest account and password which can be leveraged to login to the webserver. It has been reported that it is not possible to view or administer the guest account using the web interface. 2. Cross-Site Request Forgery (CSRF). VioStor NVR firmware version 4.0.3 and possibly earlier versions contains a cross-site request forgery vulnerability could allow an attacker to add a new administrative account to the server by tricking an administrator to click on a malicious link while they are currently logged into the webserver.

References

http://www.kb.cert.org/vuls/id/927644
http://www.qnap.com/

Updated on 2017-03-28

Severity

Classification

CVE CVE-2013-0142, CVE-2013-0144

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

@Mail WebMail Email Body HTML Injection Vulnerability
Apache Tomcat Login Constraints Security Bypass Vulnerability
Admidio get_file.php Remote File Disclosure Vulnerability
Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability
Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability

Take action and discover your vulnerabilities