CVE-2018-19950 - OpenCVE

If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Music Station Qts

Configuration 1 [-]

AND

cpe:2.3:o:qnap:qts:4.4.3:*:*:*:*:*:*:*

cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:qnap:qts:4.3.4:*:*:*:*:*:*:*

cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*

cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:*

cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-20-10

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2020-11-02T15:57:02.523502Z

Updated: 2024-09-17T02:31:26.145Z

Reserved: 2018-12-07T00:00:00

Link: CVE-2018-19950

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-02T16:15:13.020

Modified: 2022-11-16T15:30:36.197

Link: CVE-2018-19950

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Music Station", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "5.1.13", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "5.2.9", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "5.3.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Independent Security Evaluators"}], "datePublic": "2020-10-30T00:00:00", "descriptions": [{"lang": "en", "value": "If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-02T15:57:02", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/en/security-advisory/qsa-20-10"}], "solutions": [{"lang": "en", "value": "QNAP have already fixed the issue in the following Music Station:\nQTS 4.3.3: Music Station 5.1.13 and later\nQTS 4.3.4: Music Station 5.1.13 and later\nQTS 4.3.6: Music Station 5.2.9 and later\nQTS 4.4.3: Music Station 5.3.11 and later"}], "source": {"advisory": "QSA-20-10", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2020-10-30T00:29:00.000Z", "ID": "CVE-2018-19950", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Music Station", "version": {"version_data": [{"version_affected": "<", "version_value": "5.1.13"}, {"version_affected": "<", "version_value": "5.2.9"}, {"version_affected": "<", "version_value": "5.3.11"}]}}]}, "vendor_name": "QNAP Systems Inc."}]}}, "credit": [{"lang": "eng", "value": "Independent Security Evaluators"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/en/security-advisory/qsa-20-10", "refsource": "MISC", "url": "https://www.qnap.com/en/security-advisory/qsa-20-10"}]}, "solution": [{"lang": "en", "value": "QNAP have already fixed the issue in the following Music Station:\nQTS 4.3.3: Music Station 5.1.13 and later\nQTS 4.3.4: Music Station 5.1.13 and later\nQTS 4.3.6: Music Station 5.2.9 and later\nQTS 4.4.3: Music Station 5.3.11 and later"}], "source": {"advisory": "QSA-20-10", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:51:17.750Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.qnap.com/en/security-advisory/qsa-20-10"}]}]}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2018-19950", "datePublished": "2020-11-02T15:57:02.523502Z", "dateReserved": "2018-12-07T00:00:00", "dateUpdated": "2024-09-17T02:31:26.145Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:4.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "9EC590C3-3D01-48EC-9F7F-75CFDAAE11C6", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D27521E-21B4-4E37-8660-D71E28BA29E9", "versionEndExcluding": "5.3.11", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:4.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "F0C7D2D4-769F-4297-89F4-75366FFA7618", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "859EBF79-D945-4DB9-9E85-7B33D8D79835", "versionEndExcluding": "5.1.13", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "FE9FAC96-AA2A-4CA5-A170-8C0E6BD47391", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0B0D451-0D90-4E9D-8C7E-D2C7F0077E26", "versionEndExcluding": "5.2.9", "versionStartIncluding": "5.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "C5994C07-17FE-4784-9FA4-9675BA8B4743", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*", "matchCriteriaId": "859EBF79-D945-4DB9-9E85-7B33D8D79835", "versionEndExcluding": "5.1.13", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "If exploited, this command injection vulnerability could allow remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.1.13; versions prior to 5.2.9; versions prior to 5.3.11."}, {"lang": "es", "value": "Si es explotada, esta vulnerabilidad de inyecci\u00f3n de comandos podr\u00eda permitir a atacantes remotos ejecutar comandos arbitrarios. Este problema afecta a: QNAP Systems Inc. Music Station versiones anteriores a 5.1.13; versiones anteriores a 5.2.9; versiones anteriores a 5.3.11"}], "id": "CVE-2018-19950", "lastModified": "2022-11-16T15:30:36.197", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-02T16:15:13.020", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-20-10"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}