7.2

CVE-2023-23367

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2376 build 20230421 and later
QuTS hero h5.0.1.2376 build 20230421 and later
QuTScloud c5.1.0.2498 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version5.0.0.1716 Updatebuild_20210701
QnapQts Version5.0.0.1785 Updatebuild_20210908
QnapQts Version5.0.0.1808 Updatebuild_20211001
QnapQts Version5.0.0.1828 Updatebuild_20211020
QnapQts Version5.0.0.1837 Updatebuild_20211029
QnapQts Version5.0.0.1850 Updatebuild_20211111
QnapQts Version5.0.0.1853 Updatebuild_20211114
QnapQts Version5.0.0.1858 Updatebuild_20211119
QnapQts Version5.0.0.1870 Updatebuild_20211201
QnapQts Version5.0.1.2034 Updatebuild_20220515
QnapQts Version5.0.1.2079 Updatebuild_20220629
QnapQts Version5.0.1.2131 Updatebuild_20220820
QnapQts Version5.0.1.2137 Updatebuild_20220826
QnapQts Version5.0.1.2145 Updatebuild_20220903
QnapQts Version5.0.1.2173 Updatebuild_20221001
QnapQts Version5.0.1.2194 Updatebuild_20221022
QnapQts Version5.0.1.2234 Updatebuild_20221201
QnapQts Version5.0.1.2248 Updatebuild_20221215
QnapQts Version5.0.1.2277 Updatebuild_20230112
QnapQts Version5.0.1.2346 Updatebuild_20230322
QnapQuts Hero Versionh5.0.0.1772 Updatebuild_20210826
QnapQuts Hero Versionh5.0.0.1844 Updatebuild_20211105
QnapQuts Hero Versionh5.0.0.1856 Updatebuild_20211117
QnapQuts Hero Versionh5.0.0.1892 Updatebuild_20211222
QnapQuts Hero Versionh5.0.0.1900 Updatebuild_20211228
QnapQuts Hero Versionh5.0.0.1949 Updatebuild_20220215
QnapQuts Hero Versionh5.0.0.1986 Updatebuild_20220324
QnapQuts Hero Versionh5.0.0.2022 Updatebuild_20220428
QnapQuts Hero Versionh5.0.0.2069 Updatebuild_20220614
QnapQuts Hero Versionh5.0.0.2120 Updatebuild_20220804
QnapQuts Hero Versionh5.0.1.2045 Updatebuild_20220526
QnapQuts Hero Versionh5.0.1.2192 Updatebuild_20221020
QnapQuts Hero Versionh5.0.1.2248 Updatebuild_20221215
QnapQuts Hero Versionh5.0.1.2269 Updatebuild_20230104
QnapQuts Hero Versionh5.0.1.2277 Updatebuild_20230112
QnapQuts Hero Versionh5.0.1.2348 Updatebuild_20230324
QnapQutscloud Versionc5.0.0.1919 Updatebuild_20220119
QnapQutscloud Versionc5.0.1.1949 Updatebuild_20220218
QnapQutscloud Versionc5.0.1.1998 Updatebuild_20220408
QnapQutscloud Versionc5.0.1.2044 Updatebuild_20220524
QnapQutscloud Versionc5.0.1.2148 Updatebuild_20220905
QnapQutscloud Versionc5.0.1.2374 Updatebuild_20230419
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.16% 0.339
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 4.7 1.2 3.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.