CVE-2023-47565

2023-12-0816:15:16

CWE-78

[email protected]

web.nvd.nist.gov

136

In Wild

cve-2023-47565

os command injection

qnap viostor nvr

qvr firmware 4.x

qvr firmware 5.0.0

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.015 Low

EPSS

Percentile

86.7%

JSON

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network.

We have already fixed the vulnerability in the following versions:

QVR Firmware 5.0.0 and later

Affected configurations

NVD

Node

qnapqvr_firmwareRange4.0.0–5.0.0

CPENameOperatorVersion
qnap:qvr_firmwareqnap qvr firmwarelt5.0.0

CPE	Name	Operator	Version
qnap:qvr_firmware	qnap qvr firmware	lt	5.0.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "QVR Firmware"
    ],
    "product": "VioStor NVR",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "5.0.0 ",
        "status": "affected",
        "version": "4.x",
        "versionType": "custom"
      }
    ]
  }
]