CVE Details for CVE: CVE-2021-28812
Summary
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. Video Station on QTS 4.3.6; on QTS 4.3.3.
Timestamps
Last major update 11-06-2021 - 17:34
Published 03-06-2021 - 03:15
Last modified 11-06-2021 - 17:34
Vulnerable Configurations
  • cpe:2.3:a:qnap:video_station:5.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:qnap:video_station:5.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:qnap:video_station:5.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:qnap:video_station:5.2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qts:4.5.2:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qts:4.5.2:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:quts_hero:h4.5.2:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:quts_hero:h4.5.2:*:*:*:*:*:*:*
  • cpe:2.3:o:qnap:qutscloud:c4.5.4:*:*:*:*:*:*:*
    cpe:2.3:o:qnap:qutscloud:c4.5.4:*:*:*:*:*:*:*
CAPEC
Click the CAPEC title to display a description
  • This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
CWE
CVSS
Base
6.5
Impact
6.4
Exploitability
8.0
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
CVSS3
Base
8.8
Impact
5.9
Exploitability
2.8
Access
Attack ComplexityAttack vectorPrivileges RequiredScopeUser Interaction
LOW NETWORK LOW UNCHANGED NONE
Impact
ConfidentialityIntegrityAvailability
HIGH HIGH HIGH
VIA4 references
cvss-vector via4
AV:N/AC:L/Au:S/C:P/I:P/A:P
cvss3-vector via4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H