CVE-2018-0707

HIGH

Qnap Q'center < 1.7.1063 - OS Command Injection

Title source: rule

Description

Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/45043

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Core Security · textwebappshardware

https://www.exploit-db.com/exploits/45015

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Ivan Huertas, bcoles · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/qnap_qcenter_change_passwd_exec.rb

View Code ZIP pw:eip

References (7)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/148515/QNAP-Qcenter-Virtual-Appliance-1.6.x-Information-Disclosure-Command-Injection.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2018/Jul/45

[Exploit, Third Party Advisory] https://www.coresecurity.com/advisories/qnap-qcenter-virtual-appliance-multiple-vulnerabilities

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45015/

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45043/

[Vendor Advisory] https://www.qnap.com/zh-tw/security-advisory/nas-201807-10

[Exploit, Third Party Advisory, VDB Entry] https://www.securityfocus.com/archive/1/542141/100/0/threaded

Scores

CVSS v3 7.2

EPSS 0.7472

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

qnap/q\'center < 1.7.1063

Published Jul 17, 2018

Tracked Since Feb 18, 2026