CVE-2020-2507

CWE-77 — Command Injection CWE-78 — OS Command Injection CWE-863 — Incorrect Authorization4 documents4 sources

Severity

9.8CRITICAL

EPSS

4.6%

top 10.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems Inc. Helpdesk Qnap Helpdesk

Timeline

PublishedFeb 3

Latest updateMay 24

Description

The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5qnap_systems_inc./helpdeskunspecified — 3.0.3

▶NVDqnap/helpdesk< 3.0.3

🔴Vulnerability Details

GHSA

GHSA-7r29-w7vh-5p6q: The vulnerability have been reported to affect earlier versions of QTS↗2022-05-24

▶

CVEList

command injection vulnerability in Helpdesk↗2021-02-03

▶

VulnCheck

QNAP Helpdesk Improper Neutralization of Special Elements used in a Command ('Command Injection')↗2020

▶