CVE-2020-2504

Published: Dec 24, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

Affected (8)

Products: Qnap: Qes

1 product

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Qnap Qes	Before 2.1.1
Qnap Qes	Version 2.1.1
Qnap Qes	Version 2.1.1 build_20200211
Qnap Qes	Version 2.1.1 build_20200303
Qnap Qes	Version 2.1.1 build_20200319
Qnap Qes	Version 2.1.1 build_20200424
Qnap Qes	Version 2.1.1 build_20200515
Qnap Qes	Version 2.1.1 build_20200811

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

References (2)

https://www.qnap.com/zh-tw/security-advisory/qsa-20-17

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/zh-tw/security-advisory/qsa-20-17

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.