cnvd - cnvd-2018-17532

cnvd-2018-17532

Vulnerability from cnvd

Title

QNAP Q'center Virtual Appliance命令注入漏洞（CNVD-2018-17532）

Description

QNAP Q'center Virtual Appliance是中国威联通（QNAP Systems）公司的一款用于在Microsoft Hyper-V、VMware ESXi和Workstation等虚拟环境中部署Q'center（QNAP NAS管理平台）的虚拟设备。 QNAP Q'center Virtual Appliance 1.7.1063及之前版本中密码的更改存在命令注入漏洞，该漏洞源于程序未能正确的验证输入。攻击者可利用该漏洞执行任意命令。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.qnap.com/solution/qcenter/index.php?lang=zh-cn

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-0707 https://www.exploit-db.com/exploits/45015/

Impacted products

Name
QNAP Q'center Virtual Appliance <=1.7.1063

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-0707"
    }
  },
  "description": "QNAP Q\u0027center Virtual Appliance\u662f\u4e2d\u56fd\u5a01\u8054\u901a\uff08QNAP Systems\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u5728Microsoft Hyper-V\u3001VMware ESXi\u548cWorkstation\u7b49\u865a\u62df\u73af\u5883\u4e2d\u90e8\u7f72Q\u0027center\uff08QNAP NAS\u7ba1\u7406\u5e73\u53f0\uff09\u7684\u865a\u62df\u8bbe\u5907\u3002\r\n\r\nQNAP Q\u0027center Virtual Appliance 1.7.1063\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5bc6\u7801\u7684\u66f4\u6539\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u9a8c\u8bc1\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Ivan Huertas",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.qnap.com/solution/qcenter/index.php?lang=zh-cn",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17532",
  "openTime": "2018-09-05",
  "products": {
    "product": "QNAP Q\u0027center Virtual Appliance \u003c=1.7.1063"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-0707\r\nhttps://www.exploit-db.com/exploits/45015/",
  "serverity": "\u9ad8",
  "submitTime": "2018-07-13",
  "title": "QNAP Q\u0027center Virtual Appliance\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2018-17532\uff09"
}

CVE-2018-0707 (GCVE-0-2018-0707)

Vulnerability from cvelistv5

Published

2018-07-16 15:00

Modified

2024-09-16 17:22

Severity ?

CWE

Command Injection

Summary

Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.

References

URL

Tags

	https://www.exploit-db.com/exploits/45015/	exploit, x_refsource_EXPLOIT-DB
	https://www.coresecurity.com/advisories/qnap-qcenter-virtual-appliance-multiple-vulnerabilities	x_refsource_MISC
	http://seclists.org/fulldisclosure/2018/Jul/45	mailing-list, x_refsource_FULLDISC
	http://packetstormsecurity.com/files/148515/QNAP-Qcenter-Virtual-Appliance-1.6.x-Information-Disclosure-Command-Injection.html	x_refsource_MISC
	https://www.exploit-db.com/exploits/45043/	exploit, x_refsource_EXPLOIT-DB
	https://www.qnap.com/zh-tw/security-advisory/nas-201807-10	x_refsource_CONFIRM
	https://www.securityfocus.com/archive/1/542141/100/0/threaded	mailing-list, x_refsource_BUGTRAQ