⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2020-2506

CWE-284Improper Access ControlCWE-863Incorrect Authorization6 documents6 sources
Severity
9.8CRITICAL
EPSS
18.0%
top 4.84%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Qnap Systems Inc. HelpdeskQnap Helpdesk
Timeline
PublishedFeb 3
KEV addedMar 25
KEV dueApr 15
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

CVEListV5qnap_systems_inc./helpdeskunspecified3.0.3
NVDqnap/helpdesk< 3.0.3

🔴Vulnerability Details

3
GHSA
GHSA-vph4-5mf4-28v5: The vulnerability have been reported to affect earlier versions of QTS2022-05-24
CVEList
improper access control vulnerability in Helpdesk2021-02-03
VulnCheck
QNAP Helpdesk Improper Access Control Vulnerability2020

📋Vendor Advisories

1
CISA
QNAP Helpdesk Improper Access Control Vulnerability2022-03-25
CVE-2020-2506 (CRITICAL CVSS 9.8) | The vulnerability have been reporte | cvebase.io