Lucene search

KrcertCVELIST:CVE-2022-23771

HistoryOct 17, 2022 - 12:00 a.m.

CVE-2022-23771 IPTIME NAS1DUAL CSRF Vulnerability

2022-10-1700:00:00

CWE-352

krcert

www.cve.org

iptime nas1dual

csrf

vulnerability

user accounts

validation

post request

attacker

user privileges

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

32.3%

JSON

This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.

CNA Affected

[
  {
    "vendor": "EFM Networks Co., Ltd",
    "product": "NAS1dual, NAS2dual, NAS4dual",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "1.4.86",
        "status": "affected",
        "versionType": "custom"
      }
    ],
    "platforms": [
      "Linux, Windows and etc.."
    ]
  }
]

References

www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

32.3%

JSON

Related for CVELIST:CVE-2022-23771