CVE-2021-28804 — OS Command Injection in Systems INC QTS

CWE-78 — OS Command Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

2.7%

top 13.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC QTS Qnap Systems INC Quts Hero Qnap QTS +1 more

Timeline

PublishedJul 1

Latest updateMay 24

Description

A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5qnap_systems_inc/quts_herounspecified — h4.5.1.1582 build 20210217

▶NVDqnap/quts_heroh4.5.1.1582

▶CVEListV5qnap_systems_inc/qtsunspecified — 4.5.1.1540 build 20210107

▶NVDqnap/qts4.5.1.1540

🔴Vulnerability Details

GHSA

GHSA-8p34-xr7p-88q2: A command injection vulnerabilities have been reported to affect QTS and QuTS hero↗2022-05-24

▶

CVEList

Command Injection Vulnerabilities in QTS and QuTS hero↗2021-07-01

▶