cbcvebase.
CVE-2019-7195
published 2019-12-05

CVE-2019-7195: This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
89.68%
99.8th percentile
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Affected

4 ranges
VendorProductVersion rangeFixed in
qnapphoto_station< 6.0.36.0.3
qnapphoto_station< 5.7.105.7.10
qnapphoto_station< 5.4.95.4.9
qnapphoto_station< 5.2.115.2.11

Detection & IOCsextracted from sources · hover to see the quote

url/photo/p/api/album.php
url/photo/slideshow.php
url/photo/p/api/video.php
path.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
  • Exploit chain uses three sequential HTTP requests: (1) POST to /photo/p/api/album.php with a=setSlideshow to create an album, (2) GET to /photo/slideshow.php to extract album_id and access_code, (3) POST to /photo/p/api/video.php with path traversal payload in the 'filename' parameter targeting /etc/passwd.
  • Successful exploitation of the path traversal is confirmed when the response body contains 'admin:' (passwd file content) and the Content-Type header includes both 'video/subtitle' and 'filename='.
  • The module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9; the HTTP server runs as root, enabling access to SSH private keys and password hashes.
  • Shodan queries can be used to identify exposed QNAP Photo Station instances: search for content-length '580' with 'http server 1.0', or HTTP title 'photo station' or 'qnap'.
  • ·The exploit requires a multi-step authentication bypass chain (CVE-2019-7192 album creation + CVE-2019-7195 path traversal); the album_id and access_code extracted from intermediate responses are required parameters for the final traversal request.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.