Cross-Site Request Forgery in QNAP VioStor NVR Devices
CVE-2013-0144

Currently unrated

Key Information:

Vendor: Qnap
Status: Viostor Network Video Recorder; Viostor Network Video Recorder
Vendor: CVE Published:; 7 June 2013

Summary

A cross-site request forgery vulnerability exists in the create_user.cgi component of QNAP VioStor NVR devices running firmware version 4.0.3. This flaw allows remote attackers to execute unauthorized actions by leveraging the authentication session of administrators. By sending a specially crafted request, attackers can create new administrative accounts without proper authentication, potentially compromising the security of the NVR system.

References

http://www.kb.cert.org/vuls/id/927644

third-party-advisoryx_refsource_CERT-VN

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Jun 7, 2013