CVE-2022-23765

EUVD-2022-28701
This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
krcertCNA
8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
Affected Products (NVD)
VendorProductVersion
iptimenas1dual_firmware
𝑥
< 1.4.86
iptimenas2dual_firmware
𝑥
< 1.4.86
iptimenas4dual_firmware
𝑥
< 1.4.86
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877