CVE-2020-25847

Summary

This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions of QTS and QuTS hero.

Affected Software

VendorProductVersion RangeStatus
QNAP Systems Inc.QTSunspecified < 4.5.1.1495affected
QNAP Systems Inc.QTSunspecified <= 4.4.3.1444affected
QNAP Systems Inc.QTS4.3.xunaffected
QNAP Systems Inc.QTS4.2.xunaffected
QNAP Systems Inc.QuTS herounspecified < h4.5.1.1491affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-78: CWE-78 OS Command Injection

ADP Enrichment

CVE Program Container

Additional References

References