CVE-2023-47565
QNAP VioStor NVR OS Command Injection Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QVR Firmware 5.0.0 and later
Se ha descubierto que una vulnerabilidad de inyección de comandos del sistema operativo afecta a los modelos QNAP VioStor NVR heredados que ejecutan el firmware QVR 4.x. Si se explota, la vulnerabilidad podría permitir a los usuarios autenticados ejecutar comandos a través de una red. Ya hemos solucionado la vulnerabilidad en las siguientes versiones: QVR Firmware 5.0.0 y posteriores
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-06 CVE Reserved
- 2023-12-08 CVE Published
- 2023-12-21 Exploited in Wild
- 2024-01-11 KEV Due Date
- 2024-08-02 CVE Updated
- 2024-11-07 EPSS Updated
- ---------- First Exploit
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
- CAPEC-88: OS Command Injection
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.qnap.com/en/security-advisory/qsa-23-48 | 2023-12-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qnap Search vendor "Qnap" | Qvr Firmware Search vendor "Qnap" for product "Qvr Firmware" | >= 4.0.0 < 5.0.0 Search vendor "Qnap" for product "Qvr Firmware" and version " >= 4.0.0 < 5.0.0" | - |
Affected
| ||||||