⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-22.

CVE-2019-7195Path Traversal in Qnap Photo Station

CWE-22Path TraversalCWE-610Externally Controlled Reference to a Resource in Another Sphere7 documents7 sources
Severity
9.8CRITICALNVD
EPSS
94.1%
top 0.09%
CISA KEV
KEVRansomware
Added 2022-06-08
Due 2022-06-22
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Qnap Photo Station
Timeline
PublishedDec 5
KEV addedJun 8
KEV dueJun 22
Latest updateAug 31
CISA Required Action: Apply updates per vendor instructions.

Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDqnap/photo_station< 6.0.3+3

🔴Vulnerability Details

3
GHSA
GHSA-5h7g-3542-fw4q: This external control of file name or path vulnerability allows remote attackers to access or modify system files2022-05-24
CVEList
CVE-2019-7195: This external control of file name or path vulnerability allows remote attackers to access or modify system files2019-12-05
VulnCheck
QNAP Photo Station Path Traversal Vulnerability2019

💥Exploits & PoCs

1
Nuclei
QNAP Photo Station - Path Traversal

🔍Detection Rules

1
Suricata
ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound (CVE-2019-7195)2022-08-31

📋Vendor Advisories

1
CISA
QNAP Photo Station Path Traversal Vulnerability2022-06-08
CVE-2019-7195 — Path Traversal in Qnap Photo Station | cvebase