Lucene search

KrcertCVELIST:CVE-2022-23765

HistoryAug 17, 2022 - 8:24 p.m.

CVE-2022-23765 IPTIME NAS family CSRF vulnerability

2022-08-1720:24:23

CWE-352

krcert

www.cve.org

iptime nas

csrf vulnerability

remote attackers

root privileges

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

39.7%

JSON

This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request.

CNA Affected

[
  {
    "platforms": [
      "Linux, Windows and etc.."
    ],
    "product": "NAS1dual, NAS2dual, NAS4dual",
    "vendor": "EFM Networks Co.,Ltd",
    "versions": [
      {
        "lessThan": "1.4.86",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

39.7%

JSON

Related for CVELIST:CVE-2022-23765