CVE-2021-28812

Summary

A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. Video Station on QTS 4.3.6; on QTS 4.3.3.

Affected Software

VendorProductVersion RangeStatus
QNAP Systems Inc.Video Stationunspecified < 5.5.4affected
QNAP Systems Inc.Video Stationunspecified < 5.5.4affected
QNAP Systems Inc.Video Stationunspecified < 5.5.4affected
QNAP Systems Inc.Video Station5.3.xunaffected
QNAP Systems Inc.Video Station5.1.xunaffected

Weaknesses

  • CWE-1286: CWE-1286 Improper Validation of Syntactic Correctness of Input
  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
  • CWE-78: CWE-78 OS Command Injection

ADP Enrichment

CVE Program Container

Additional References

References