QNAP OS Command Injection Vulnerability Affects Multiple Versions
CVE-2023-47218

5.8MEDIUM

Key Information:

Vendor
QNAP
Status
QTS
QuTS hero
QuTScloud
Vendor
CVE Published:
13 February 2024

Badges

πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

Summary

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Affected Version(s)

QTS 5.1.x < 5.1.5.2645 build 20240116

QuTS hero h5.1.x

QuTScloud c5.x

News Articles

favicon imageHelp Net Security

QNAP fixes OS command injection flaws affecting its NAS devices (CVE-2023-47218, CVE-2023-50358) - Help Net Security

QNAP has patched two unauthenticated OS command injection vulnerabilities (CVE-2023-47218, CVE-2023-50358) in its NAS devices.

11 months ago

References

https://www.qnap.com/en/security-advisory/qsa-23-57
https://www.rapid7.com/blog/post/2024/02/13/cve-2023-4721...

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by Help Net Security

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stephen Fewer, Principal Security Researcher at Rapid7
.