QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2013-7174
QNAP QTS is a Network-Attached Storage (NAS) system accessible via a web interface. QNAP QTS 4.0.3 and possibly earlier versions contain a path traversal vulnerability via the cgi-bin/jc.cgi CGI script. The script accepts an "f" parameter which takes an unrestricted file path as input.
A remote unauthenticated attacker could obtain sensitive information.
Apply an Update
Thanks to the reporter that wishes to remain anonymous.
This document was written by Todd Lewellen.
|Date First Published:||2014-01-08|
|Date Last Updated:||2014-01-08 16:46 UTC|