CVE-2023-41282
02.02.2024, 16:15
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later
| Vendor | Product | Version |
|---|---|---|
| qnap | qts | 5.1.0.2348:build_20230325 |
| qnap | qts | 5.1.0.2399:build_20230515 |
| qnap | qts | 5.1.0.2418:build_20230603 |
| qnap | qts | 5.1.0.2444:build_20230629 |
| qnap | qts | 5.1.0.2466:build_20230721 |
| qnap | qts | 5.1.1.2491:build_20230815 |
| qnap | qts | 5.1.2.2533:build_20230926 |
| qnap | qts | 5.1.3.2578:build_20231110 |
| qnap | qts | 5.1.4.2596:build_20231128 |
| qnap | qts | 5.1.5.2645 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.