CVE-2023-47564

HIGH

Qsync Central 4.3.0.0-4.3.0.10 - Authenticated Incorrect Permission Assignment for Critical Resource

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-47564. PoCs published by C411e.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-47564, an incorrect permission assignment vulnerability in QNAP Qsync Central. It explains how an authenticated attacker can exploit the `/cgi-bin/qsync/qboxRequest.cgi` endpoint to leak session IDs of other users and hijack their sessions.

Description

An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.15 ( 2024/01/04 ) and later Qsync Central 4.3.0.11 ( 2024/01/11 ) and later

Exploits (1)

nomisec WRITEUP
by C411e · poc
https://github.com/C411e/CVE-2023-47564

This repository provides a detailed technical analysis of CVE-2023-47564, an incorrect permission assignment vulnerability in QNAP Qsync Central. It explains how an authenticated attacker can exploit the `/cgi-bin/qsync/qboxRequest.cgi` endpoint to leak session IDs of other users and hijack their sessions.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: QNAP Qsync Central 4.4.x, 4.3.x
Auth required
Prerequisites: Authenticated access to QNAP Qsync Central · Valid session ID (sid)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.0
EPSS 0.0101
EPSS Percentile 58.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-732
Status published
Products (1)
qnap/qsync_central 4.3.0.0 - 4.3.0.11
Published Feb 02, 2024
Tracked Since Feb 18, 2026