CVE-2018-19945

CRITICAL

QNAP QTS <4.3.6 - Path Traversal

Title source: llm

Description

A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x.

References (1)

[Vendor Advisory] https://www.qnap.com/zh-tw/security-advisory/qsa-20-21

Scores

CVSS v3 9.1

EPSS 0.0040

EPSS Percentile 60.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-22 CWE-284 CWE-20 CWE-73

Status published

Affected Products (1)

qnap/qts < 4.3.4.0899

Timeline

Published Dec 31, 2020

Tracked Since Feb 18, 2026