7.2

CVE-2023-23367

QTS, QuTS hero, QuTScloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2376 build 20230421 and later
QuTS hero h5.0.1.2376 build 20230421 and later
QuTScloud c5.1.0.2498 and later
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QnapQts Version5.0.0.1716 Updatebuild_20210701
QnapQts Version5.0.0.1785 Updatebuild_20210908
QnapQts Version5.0.0.1808 Updatebuild_20211001
QnapQts Version5.0.0.1828 Updatebuild_20211020
QnapQts Version5.0.0.1837 Updatebuild_20211029
QnapQts Version5.0.0.1850 Updatebuild_20211111
QnapQts Version5.0.0.1853 Updatebuild_20211114
QnapQts Version5.0.0.1858 Updatebuild_20211119
QnapQts Version5.0.0.1870 Updatebuild_20211201
QnapQts Version5.0.1.2034 Updatebuild_20220515
QnapQts Version5.0.1.2079 Updatebuild_20220629
QnapQts Version5.0.1.2131 Updatebuild_20220820
QnapQts Version5.0.1.2137 Updatebuild_20220826
QnapQts Version5.0.1.2145 Updatebuild_20220903
QnapQts Version5.0.1.2173 Updatebuild_20221001
QnapQts Version5.0.1.2194 Updatebuild_20221022
QnapQts Version5.0.1.2234 Updatebuild_20221201
QnapQts Version5.0.1.2248 Updatebuild_20221215
QnapQts Version5.0.1.2277 Updatebuild_20230112
QnapQts Version5.0.1.2346 Updatebuild_20230322
QnapQuts Hero Versionh5.0.0.1772 Updatebuild_20210826
QnapQuts Hero Versionh5.0.0.1844 Updatebuild_20211105
QnapQuts Hero Versionh5.0.0.1856 Updatebuild_20211117
QnapQuts Hero Versionh5.0.0.1892 Updatebuild_20211222
QnapQuts Hero Versionh5.0.0.1900 Updatebuild_20211228
QnapQuts Hero Versionh5.0.0.1949 Updatebuild_20220215
QnapQuts Hero Versionh5.0.0.1986 Updatebuild_20220324
QnapQuts Hero Versionh5.0.0.2022 Updatebuild_20220428
QnapQuts Hero Versionh5.0.0.2069 Updatebuild_20220614
QnapQuts Hero Versionh5.0.0.2120 Updatebuild_20220804
QnapQuts Hero Versionh5.0.1.2045 Updatebuild_20220526
QnapQuts Hero Versionh5.0.1.2192 Updatebuild_20221020
QnapQuts Hero Versionh5.0.1.2248 Updatebuild_20221215
QnapQuts Hero Versionh5.0.1.2269 Updatebuild_20230104
QnapQuts Hero Versionh5.0.1.2277 Updatebuild_20230112
QnapQuts Hero Versionh5.0.1.2348 Updatebuild_20230324
QnapQutscloud Versionc5.0.0.1919 Updatebuild_20220119
QnapQutscloud Versionc5.0.1.1949 Updatebuild_20220218
QnapQutscloud Versionc5.0.1.1998 Updatebuild_20220408
QnapQutscloud Versionc5.0.1.2044 Updatebuild_20220524
QnapQutscloud Versionc5.0.1.2148 Updatebuild_20220905
QnapQutscloud Versionc5.0.1.2374 Updatebuild_20230419
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.16% 0.378
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 4.7 1.2 3.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.