⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-22.

CVE-2019-7194Path Traversal in Qnap Photo Station

CWE-22Path TraversalCWE-610Externally Controlled Reference to a Resource in Another Sphere6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
93.9%
top 0.12%
CISA KEV
KEVRansomware
Added 2022-06-08
Due 2022-06-22
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Qnap Photo Station
Timeline
PublishedDec 5
KEV addedJun 8
KEV dueJun 22
CISA Required Action: Apply updates per vendor instructions.

Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDqnap/photo_station< 6.0.3+3

🔴Vulnerability Details

3
GHSA
GHSA-4wch-cg8h-vqc6: This external control of file name or path vulnerability allows remote attackers to access or modify system files2022-05-24
CVEList
CVE-2019-7194: This external control of file name or path vulnerability allows remote attackers to access or modify system files2019-12-05
VulnCheck
QNAP Photo Station Path Traversal Vulnerability2019

💥Exploits & PoCs

1
Nuclei
QNAP Photo Station < 6.0.3 - Remote Code Execution

📋Vendor Advisories

1
CISA
QNAP Photo Station Path Traversal Vulnerability2022-06-08
CVE-2019-7194 — Path Traversal in Qnap Photo Station | cvebase