CVE-2018-0715

MEDIUM

QNAP Photo Station <= 5.7.0 - Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-0715. PoCs published by Mitsuaki Shiraishi.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in QNAP Photo Station 5.7.0 and earlier. The PoC URL injects an img tag with an onerror event handler that triggers an alert dialog.

Description

Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application.

Exploits (1)

exploitdb WORKING POC

by Mitsuaki Shiraishi · textwebappshardware

https://www.exploit-db.com/exploits/45348

View Code ZIP pw:eip

This exploit demonstrates a reflected XSS vulnerability in QNAP Photo Station 5.7.0 and earlier. The PoC URL injects an img tag with an onerror event handler that triggers an alert dialog.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: QNAP Photo Station versions 5.7.0 and earlier

No auth needed

Prerequisites: Access to the target Photo Station instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://www.qnap.com/zh-tw/security-advisory/nas-201808-23

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45348/

Scores

CVSS v3 6.1

EPSS 0.0312

EPSS Percentile 86.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

qnap/photo_station < 5.7.0

Published Aug 27, 2018

Tracked Since Feb 18, 2026