Vulnerabilities > CVE-2019-7192 - Incorrect Authorization vulnerability in Qnap Photo Station
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Metasploit
description | This module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9. |
id | MSF:AUXILIARY/GATHER/QNAP_LFI |
last seen | 2020-06-11 |
modified | 2020-06-10 |
published | 2020-05-28 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/qnap_lfi.rb |
title | QNAP QTS and Photo Station Local File Inclusion |
Packetstorm
data source | https://packetstormsecurity.com/files/download/157857/qnapqtsphotostation603-exec.txt |
id | PACKETSTORM:157857 |
last seen | 2020-05-30 |
published | 2020-05-28 |
reporter | Yunus YILDIRIM |
source | https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html |
title | QNAP QTS And Photo Station 6.0.3 Remote Command Execution |
References
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25