cbcvebase.
CVE-2023-45038
published 2024-09-06

CVE-2023-45038: An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the…

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.18%
63.9th percentile
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later

Affected

2 ranges
VendorProductVersion rangeFixed in
qnapmusic_station>= 5.0.0 < 5.4.05.4.0
qnap_systems_incmusic_station>= 5.4.x < 5.4.05.4.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /musicstation/api/as_get_file_api.php
path/musicstation/api/as_get_file_api.php
commandssid=dummy&songid=1&tt=ts&f=L2V0Yy9wYXNzd2Q=
otherfilename='passwd'
yara
regex: admin:.*:0:0:
  • Exploit sends a POST request to /musicstation/api/as_get_file_api.php with base64-encoded path (L2V0Yy9wYXNzd2Q= = /etc/passwd) in the 'f' parameter, bypassing authentication to read arbitrary files.
  • Successful exploitation returns HTTP 200 with a Content-Disposition header containing filename='passwd' and a response body matching the pattern 'admin:.*:0:0:', indicating /etc/passwd was read.
  • The vulnerable endpoint is as_get_file_api.php; patching to Music Station 5.4.0 or later implements proper authentication validation in this endpoint.
  • QNAP NAS devices can be identified for targeting via Shodan (http.title:"qnap"), FOFA (title="qnap"), or Google (intitle:"qnap").
  • ·The 'f' parameter accepts a base64-encoded file path, allowing arbitrary file read. The PoC uses L2V0Yy9wYXNzd2Q= which decodes to /etc/passwd, but any path may be supplied.
  • ·The vulnerability affects QNAP Music Station versions prior to 5.4.0 only; version 5.4.0 and later are patched.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.