CVE-2022-23771

This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
krcertCNA
8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
VendorProductVersion
iptimenas1dual_firmware
𝑥
< 1.4.86
iptimenas2dual_firmware
𝑥
< 1.4.86
iptimenas4dual_firmware
𝑥
< 1.4.86
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964
https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964