Vulnerability Details CVE-2019-7195
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.889
EPSS Ranking 99.5%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
Proposed Action
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Ransomware Campaign
Known
References
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
Products affected by CVE-2019-7195
-
cpe:2.3:a:qnap:photo_station:-
-
cpe:2.3:a:qnap:photo_station:5.2.0
-
cpe:2.3:a:qnap:photo_station:5.2.1
-
cpe:2.3:a:qnap:photo_station:5.2.14
-
cpe:2.3:a:qnap:photo_station:5.2.2
-
cpe:2.3:a:qnap:photo_station:5.2.3
-
cpe:2.3:a:qnap:photo_station:5.2.4
-
cpe:2.3:a:qnap:photo_station:5.2.5
-
cpe:2.3:a:qnap:photo_station:5.2.6
-
cpe:2.3:a:qnap:photo_station:5.2.7
-
cpe:2.3:a:qnap:photo_station:5.2.8
-
cpe:2.3:a:qnap:photo_station:5.2.9
-
cpe:2.3:a:qnap:photo_station:5.3.4
-
cpe:2.3:a:qnap:photo_station:5.3.5
-
cpe:2.3:a:qnap:photo_station:5.3.6
-
cpe:2.3:a:qnap:photo_station:5.4.0
-
cpe:2.3:a:qnap:photo_station:5.4.1
-
cpe:2.3:a:qnap:photo_station:5.4.10
-
cpe:2.3:a:qnap:photo_station:5.4.11
-
cpe:2.3:a:qnap:photo_station:5.4.12
-
cpe:2.3:a:qnap:photo_station:5.4.13
-
cpe:2.3:a:qnap:photo_station:5.4.15
-
cpe:2.3:a:qnap:photo_station:5.4.2
-
cpe:2.3:a:qnap:photo_station:5.4.3
-
cpe:2.3:a:qnap:photo_station:5.4.4
-
cpe:2.3:a:qnap:photo_station:5.4.5
-
cpe:2.3:a:qnap:photo_station:5.4.6
-
cpe:2.3:a:qnap:photo_station:5.4.7
-
cpe:2.3:a:qnap:photo_station:5.4.8
-
cpe:2.3:a:qnap:photo_station:5.4.9
-
cpe:2.3:a:qnap:photo_station:5.6.0
-
cpe:2.3:a:qnap:photo_station:5.6.1
-
cpe:2.3:a:qnap:photo_station:5.6.2
-
cpe:2.3:a:qnap:photo_station:5.6.3
-
cpe:2.3:a:qnap:photo_station:5.7.0
-
cpe:2.3:a:qnap:photo_station:5.7.1
-
cpe:2.3:a:qnap:photo_station:5.7.11
-
cpe:2.3:a:qnap:photo_station:5.7.12
-
cpe:2.3:a:qnap:photo_station:5.7.13
-
cpe:2.3:a:qnap:photo_station:5.7.14
-
cpe:2.3:a:qnap:photo_station:5.7.15
-
cpe:2.3:a:qnap:photo_station:5.7.16
-
cpe:2.3:a:qnap:photo_station:5.7.18
-
cpe:2.3:a:qnap:photo_station:5.7.2
-
cpe:2.3:a:qnap:photo_station:5.7.3
-
cpe:2.3:a:qnap:photo_station:5.7.4
-
cpe:2.3:a:qnap:photo_station:5.7.5
-
cpe:2.3:a:qnap:photo_station:5.7.6
-
cpe:2.3:a:qnap:photo_station:6.0.0
-
cpe:2.3:a:qnap:photo_station:6.0.1
-
cpe:2.3:a:qnap:photo_station:6.0.2
-
cpe:2.3:o:qnap:qts:4.2.6
-
cpe:2.3:o:qnap:qts:4.3.1.0013
-
cpe:2.3:o:qnap:qts:4.3.1.0023
-
cpe:2.3:o:qnap:qts:4.3.2.0050
-
cpe:2.3:o:qnap:qts:4.3.2.0060
-
cpe:2.3:o:qnap:qts:4.3.2.0144
-
cpe:2.3:o:qnap:qts:4.3.3
-
cpe:2.3:o:qnap:qts:4.3.4
-
cpe:2.3:o:qnap:qts:4.3.4.0358
-
cpe:2.3:o:qnap:qts:4.3.4.0370
-
cpe:2.3:o:qnap:qts:4.3.4.0372
-
cpe:2.3:o:qnap:qts:4.3.4.0374
-
cpe:2.3:o:qnap:qts:4.3.4.0387
-
cpe:2.3:o:qnap:qts:4.3.4.0411
-
cpe:2.3:o:qnap:qts:4.3.4.0416
-
cpe:2.3:o:qnap:qts:4.3.4.0427
-
cpe:2.3:o:qnap:qts:4.3.4.0434
-
cpe:2.3:o:qnap:qts:4.3.4.0435
-
cpe:2.3:o:qnap:qts:4.3.4.0451
-
cpe:2.3:o:qnap:qts:4.3.4.0483
-
cpe:2.3:o:qnap:qts:4.3.4.0486
-
cpe:2.3:o:qnap:qts:4.3.4.0506
-
cpe:2.3:o:qnap:qts:4.3.4.0516
-
cpe:2.3:o:qnap:qts:4.3.4.0526
-
cpe:2.3:o:qnap:qts:4.3.4.0551
-
cpe:2.3:o:qnap:qts:4.3.4.0557
-
cpe:2.3:o:qnap:qts:4.3.4.0561
-
cpe:2.3:o:qnap:qts:4.3.4.0569
-
cpe:2.3:o:qnap:qts:4.3.4.0593
-
cpe:2.3:o:qnap:qts:4.3.4.0597
-
cpe:2.3:o:qnap:qts:4.3.4.0604
-
cpe:2.3:o:qnap:qts:4.3.4.0899
-
cpe:2.3:o:qnap:qts:4.3.4.1029
-
cpe:2.3:o:qnap:qts:4.3.4.1082
-
cpe:2.3:o:qnap:qts:4.3.4.1190
-
cpe:2.3:o:qnap:qts:4.3.4.1282
-
cpe:2.3:o:qnap:qts:4.3.4.1368
-
cpe:2.3:o:qnap:qts:4.3.4.1417
-
cpe:2.3:o:qnap:qts:4.3.4.1463
-
cpe:2.3:o:qnap:qts:4.3.4.1632
-
cpe:2.3:o:qnap:qts:4.3.4.1652
-
cpe:2.3:o:qnap:qts:4.3.4.1976
-
cpe:2.3:o:qnap:qts:4.3.4.2107
-
cpe:2.3:o:qnap:qts:4.3.4.2242
-
cpe:2.3:o:qnap:qts:4.3.4.2451
-
cpe:2.3:o:qnap:qts:4.3.4.2675
-
cpe:2.3:o:qnap:qts:4.3.4.2814
-
cpe:2.3:o:qnap:qts:4.3.5
-
cpe:2.3:o:qnap:qts:4.3.6
-
cpe:2.3:o:qnap:qts:4.3.6.0895
-
cpe:2.3:o:qnap:qts:4.3.6.0907
-
cpe:2.3:o:qnap:qts:4.3.6.0923
-
cpe:2.3:o:qnap:qts:4.3.6.0944
-
cpe:2.3:o:qnap:qts:4.3.6.0959
-
cpe:2.3:o:qnap:qts:4.3.6.0979
-
cpe:2.3:o:qnap:qts:4.3.6.0993
-
cpe:2.3:o:qnap:qts:4.3.6.1013
-
cpe:2.3:o:qnap:qts:4.3.6.1033
-
cpe:2.3:o:qnap:qts:4.3.6.1070
-
cpe:2.3:o:qnap:qts:4.3.6.1154
-
cpe:2.3:o:qnap:qts:4.3.6.1218
-
cpe:2.3:o:qnap:qts:4.3.6.1263
-
cpe:2.3:o:qnap:qts:4.3.6.1286
-
cpe:2.3:o:qnap:qts:4.3.6.1333
-
cpe:2.3:o:qnap:qts:4.3.6.1411
-
cpe:2.3:o:qnap:qts:4.3.6.1446
-
cpe:2.3:o:qnap:qts:4.3.6.1620
-
cpe:2.3:o:qnap:qts:4.3.6.1663
-
cpe:2.3:o:qnap:qts:4.3.6.1711
-
cpe:2.3:o:qnap:qts:4.3.6.1750
-
cpe:2.3:o:qnap:qts:4.3.6.1831
-
cpe:2.3:o:qnap:qts:4.3.6.1907
-
cpe:2.3:o:qnap:qts:4.3.6.1965
-
cpe:2.3:o:qnap:qts:4.3.6.2050
-
cpe:2.3:o:qnap:qts:4.3.6.2232
-
cpe:2.3:o:qnap:qts:4.3.6.2441
-
cpe:2.3:o:qnap:qts:4.3.6.2665
-
cpe:2.3:o:qnap:qts:4.3.6.2805
-
cpe:2.3:o:qnap:qts:4.4.0
-
cpe:2.3:o:qnap:qts:4.4.1