This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.
References
| Link | Resource |
|---|---|
| https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964 | Third Party Advisory |
| https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964 | Third Party Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
Configuration 2 (hide)
| AND |
|
Configuration 3 (hide)
| AND |
|
History
21 Nov 2024, 06:49
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964 - Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.0 |
19 Oct 2022, 13:52
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
| CWE | CWE-352 | |
| CPE | cpe:2.3:o:iptime:nas1dual_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:iptime:nas4dual:-:*:*:*:*:*:*:* cpe:2.3:h:iptime:nas1dual:-:*:*:*:*:*:*:* cpe:2.3:h:iptime:nas2dual:-:*:*:*:*:*:*:* cpe:2.3:o:iptime:nas2dual_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:iptime:nas4dual_firmware:*:*:*:*:*:*:*:* |
|
| References | (MISC) https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964 - Third Party Advisory |
17 Oct 2022, 17:56
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-10-17 16:15
Updated : 2024-11-21 06:49
NVD link : CVE-2022-23771
Mitre link : CVE-2022-23771
CVE.ORG link : CVE-2022-23771
JSON object : View
Products Affected
iptime
- nas1dual
- nas4dual_firmware
- nas2dual_firmware
- nas2dual
- nas1dual_firmware
- nas4dual
CWE
CWE-352
Cross-Site Request Forgery (CSRF)