Vulnerability Note VU#487078
QNAP QTS path traversal vulnerability
QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-7174
QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability via the cgi-bin/jc.cgi CGI script. The script accepts an "f" parameter which takes an unrestricted file path as input.
A remote unauthenticated attacker could obtain sensitive information.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|QNAP Security||Affected||07 Nov 2013||08 Jan 2014|
CVSS Metrics (Learn More)
Thanks to the reporter that wishes to remain anonymous.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2013-7174
- Date Public: 08 Jan 2014
- Date First Published: 08 Jan 2014
- Date Last Updated: 08 Jan 2014
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.