CVE-2018-19945Improper Input Validation in Systems INC QTS

CWE-20Improper Input ValidationCWE-22Path TraversalCWE-73External Control of File Name or PathCWE-284Improper Access Control3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.4%
top 39.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Qnap Systems INC QTSQnap QTS
Timeline
PublishedDec 31
Latest updateMay 24

Description

A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

CVEListV5qnap_systems_inc/qtsunspecified4.3.6.0895+1
NVDqnap/qts4.3.44.3.4.0899+1

🔴Vulnerability Details

2
GHSA
GHSA-xc2v-fcxv-wj59: A vulnerability has been reported to affect earlier QNAP devices running QTS 42022-05-24
CVEList
Improper Limitation of a Pathname to a Restricted Directory in QTS2020-12-31
CVE-2018-19945 — Improper Input Validation | cvebase