Vulnerability Note VU#487078

QNAP QTS path traversal vulnerability

Original Release date: 08 Jan 2014 | Last revised: 08 Jan 2014


QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability.


CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-7174

QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability via the cgi-bin/jc.cgi CGI script. The script accepts an "f" parameter which takes an unrestricted file path as input.


A remote unauthenticated attacker could obtain sensitive information.


Apply an Update

QNAP advises users to upgrade to QTS version 4.1.0. In addition, the following workaround is available:

Restrict Access

Enable firewall rules to restrict access to port 80/tcp from external untrusted sources.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
QNAP SecurityAffected07 Nov 201308 Jan 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal 6.4 E:F/RL:OF/RC:C
Environmental 1.7 CDP:L/TD:L/CR:ND/IR:ND/AR:ND



Thanks to the reporter that wishes to remain anonymous.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs: CVE-2013-7174
  • Date Public: 08 Jan 2014
  • Date First Published: 08 Jan 2014
  • Date Last Updated: 08 Jan 2014
  • Document Revision: 15


If you have feedback, comments, or additional information about this vulnerability, please send us email.