CVE-2022-27593

08.09.2022, 11:15

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
qnap	CNA	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
qnap	photo_station	𝑥 < 5.2.14
qnap	photo_station	𝑥 < 5.4.15
qnap	photo_station	𝑥 < 5.7.18
qnap	photo_station	𝑥 < 6.0.22
qnap	photo_station	𝑥 < 6.1.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

References

https://www.qnap.com/en/security-advisory/qsa-22-24