Summary
QNAP QTS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Impact
A remote attacker could exploit the vulnerability using directory- traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks.
Solution
Update to 4.1.0
Insight
QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability via the cgi-bin/jc.cgi CGI script. The script accepts an 'f' parameter which takes an unrestricted file path as input.
Affected
QNAP QTS 4.0.3 is vulnerable
other versions may also be affected.
Detection
Check the firmware version.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-7174 -
CVSS Base Score: 7.8
AV:N/AC:L/Au:N/C:C/I:N/A:N
Related Vulnerabilities