← back
CVE-2019-7194

CVE-2019-7194

CVSS 9.8 CRITICALEPSS 83.0%● KEVCWE-22
In short

A flaw in Photo Station lets attackers read or change important system files on a QNAP device by controlling file paths. This is critical because it can compromise the entire system's security and data.

Technical detail

Path traversal vulnerability (CWE-22) in QNAP Photo Station allows remote, unauthenticated attackers to access or modify arbitrary system files via unvalidated file path parameters. No special preconditions are required; exploitation results in complete system compromise with high impact on confidentiality, integrity, and availability.

Summary generated and translated by AI from the official description.
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · QNAP NAS devices running Photo Station
public PoCs found1
cve_referencepacketstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7194https://www.qnap.com/zh-tw/security-advisory/nas-201911-25