6.7 CVE-2022-27592
An unquoted search path or element vulnerability has been reported to affect QVR Smart Client. If exploited, the vulnerability could allow local authenticated administrators to execute unauthorized code or commands via unspecified vectors.
We have already fixed the vulnerability in the following version:
Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Smart Client 2.4.0.0570 and later
https://nvd.nist.gov/vuln/detail/CVE-2022-27592
Categories
CWE-428 : Unquoted Search Path or Element
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:Program.exe" to be run by a privileged program making use of WinExec.
References
security@qnapsecurity.com.tw
https://www.qnap.com/en/security-advisory/qsa-24-22 Vendor Advisory |
CPE
cpe | start | end |
---|---|---|
Configuration 1 | ||
cpe:2.3:a:qnap:qvr_smart_client:*:*:*:*:*:*:*:* | >= 2.4.0 | < 2.4.0.0570 |
REMEDIATION
EXPLOITS
Exploit-db.com
id | description | date | |
---|---|---|---|
No known exploits |
POC Github
Url |
---|
No known exploits |
Other Nist (github, ...)
Url |
---|
No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
id | description | severity |
---|---|---|
No entry |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.