← back
CVE-2019-7195

CVE-2019-7195

CVSS 9.8 CRITICALEPSS 89.7%● KEVCWE-22
In short

Photo Station allows remote attackers to access or modify system files by manipulating file paths. This is critical because attackers can read sensitive data or damage system files without needing special permissions.

Technical detail

CWE-22 path traversal vulnerability in Photo Station permits unauthenticated remote attackers to read and write arbitrary files on the system via specially crafted file path parameters. The attack requires only network access and no authentication, enabling complete system compromise.

Summary generated and translated by AI from the official description.
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · QNAP NAS devices running Photo Station
public PoCs found1
cve_referencepacketstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7195https://www.qnap.com/zh-tw/security-advisory/nas-201911-25