EUVD-2025-201501

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safedir causes command injection. It is possible to initiate...

CVE-2025-14108 ZSPACE Q2C NAS HTTP POST Request open zfilev2_api.OpenSafe command injection

A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safedir causes command injection. It is possible to initiate...

CVE-2025-14108

ZSPACE Q2C NAS 1.1.0210050) or apply vendor-provided fixes; restricting access to the affected API endpoint is a suggested workaround where feasible. If implementing, verify affected versions and monitor for vendor advisories.

When Creating a Safe Via ODSafeManager::openSAFE, the User Proxy Is Wrongly Set As the Safe Owner

Lines of code Vulnerability details Impact We can observe from Vault721::mint function that the input usr in ODSafeManager::openSAFE function needs to be a previously built proxy of the user address. function mintaddress proxy, uint256 safeId external requiremsg.sender == addresssafeManager, 'V72...