CVE-2013-0143

cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, and in the Surveillance Station Pro component in QNAP NAS, allows remote authenticated users to execute arbitrary commands by leveraging guest access and placing shell metacharacters in the query string.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.kb.cert.org/vuls/id/927644	US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:qnap:viostor_network_video_recorder:4.0.3:*:*:*:*:*:*:*

cpe:2.3:h:qnap:viostor_network_video_recorder:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:qnap:surveillance_station_pro:-:::::::*
	cpe:2.3:h:qnap:nas:-:::::::*

History

No history.

Information

Published : 2013-06-07 20:55

Updated : 2024-02-04 18:16

NVD link : CVE-2013-0143

Mitre link : CVE-2013-0143

CVE.ORG link : CVE-2013-0143

JSON object : View

Products Affected

qnap

viostor_network_video_recorder
nas
surveillance_station_pro

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2013-0143", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-06-07T20:55:01.347", "references": [{"url": "http://www.kb.cert.org/vuls/id/927644", "tags": ["US Government Resource"], "source": "cret@cert.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, and in the Surveillance Station Pro component in QNAP NAS, allows remote authenticated users to execute arbitrary commands by leveraging guest access and placing shell metacharacters in the query string."}, {"lang": "es", "value": "cgi-bin/pingping.cgi en dispositivos QNAP VioStor NVR con firmware v4.0.3, y en el componente Surveillance Station Pro en QNAP NAS, permite que usuarios remotos autenticados ejecuten comandos de su elecci\u00f3n haciendo uso de acceso de invitado e incluyendo metacaracteres de la shell en una cadena de petici\u00f3n."}], "lastModified": "2013-06-10T04:00:00.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:qnap:viostor_network_video_recorder:4.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D19104D8-ECF5-4990-90D2-EE9C30282181"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:qnap:viostor_network_video_recorder:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "181489DB-7A64-49C5-A362-55D506AFBCA7"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:surveillance_station_pro:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99295443-CEBD-47C9-A01B-5C5E8E5A4282"}, {"criteria": "cpe:2.3:h:qnap:nas:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80C76690-809E-4A12-BF56-D713DD49ED27"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}