6.7 CVE-2022-27592

 

An unquoted search path or element vulnerability has been reported to affect QVR Smart Client. If exploited, the vulnerability could allow local authenticated administrators to execute unauthorized code or commands via unspecified vectors. We have already fixed the vulnerability in the following version: Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Smart Client 2.4.0.0570 and later
https://nvd.nist.gov/vuln/detail/CVE-2022-27592

Categories

CWE-428 : Unquoted Search Path or Element
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:Program.exe" to be run by a privileged program making use of WinExec.

References

security@qnapsecurity.com.tw


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:qnap:qvr_smart_client:*:*:*:*:*:*:*:* >= 2.4.0 < 2.4.0.0570


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
No entry