Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for nas4dual_firmware by iptime

    CVE-2022-23771 (GCVE-0-2022-23771)

    Vulnerability from nvd – Published: 2022-10-17 00:00 – Updated: 2025-05-09 14:49
    VLAI
    Title
    IPTIME NAS1DUAL CSRF Vulnerability
    Summary
    This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    EFM Networks Co., Ltd NAS1dual, NAS2dual, NAS4dual Affected: unspecified , < 1.4.86 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:51:46.060Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23771",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-09T14:26:23.184747Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-09T14:49:10.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Linux, Windows and etc.."
              ],
              "product": "NAS1dual, NAS2dual, NAS4dual",
              "vendor": "EFM Networks Co., Ltd",
              "versions": [
                {
                  "lessThan": "1.4.86",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-17T00:00:00.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPTIME NAS1DUAL CSRF Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2022-23771",
        "datePublished": "2022-10-17T00:00:00.000Z",
        "dateReserved": "2022-01-19T00:00:00.000Z",
        "dateUpdated": "2025-05-09T14:49:10.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23765 (GCVE-0-2022-23765)

    Vulnerability from nvd – Published: 2022-08-17 20:24 – Updated: 2024-08-03 03:51
    VLAI
    Title
    IPTIME NAS family CSRF vulnerability
    Summary
    This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    EFM Networks Co.,Ltd NAS1dual, NAS2dual, NAS4dual Affected: unspecified , < 1.4.86 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:51:46.056Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Linux, Windows and etc.."
              ],
              "product": "NAS1dual, NAS2dual, NAS4dual",
              "vendor": "EFM Networks Co.,Ltd",
              "versions": [
                {
                  "lessThan": "1.4.86",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-17T20:24:23.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPTIME NAS family CSRF vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vuln@krcert.or.kr",
              "ID": "CVE-2022-23765",
              "STATE": "PUBLIC",
              "TITLE": "IPTIME NAS family CSRF vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "NAS1dual, NAS2dual, NAS4dual",
                          "version": {
                            "version_data": [
                              {
                                "platform": "Linux, Windows and etc..",
                                "version_affected": "\u003c",
                                "version_value": "1.4.86"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EFM Networks Co.,Ltd"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877",
                  "refsource": "MISC",
                  "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2022-23765",
        "datePublished": "2022-08-17T20:24:23.000Z",
        "dateReserved": "2022-01-19T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:51:46.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26620 (GCVE-0-2021-26620)

    Vulnerability from nvd – Published: 2022-03-25 18:02 – Updated: 2024-08-03 20:26
    VLAI
    Title
    IPTIME NAS2dual improper authentication vulnerability
    Summary
    An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user’s passwords.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.555Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Windows"
              ],
              "product": "ipTIME NAS product (NAS1, 2, 3, 4, 1dual, 2dual 4dual)",
              "vendor": "EFM Networks Co., Ltd",
              "versions": [
                {
                  "lessThan": "1.4.82",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user\u2019s passwords."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-25T18:02:37.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPTIME NAS2dual improper authentication vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vuln@krcert.or.kr",
              "ID": "CVE-2021-26620",
              "STATE": "PUBLIC",
              "TITLE": "IPTIME NAS2dual improper authentication vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ipTIME NAS product (NAS1, 2, 3, 4, 1dual, 2dual 4dual)",
                          "version": {
                            "version_data": [
                              {
                                "platform": "Windows",
                                "version_affected": "\u003c",
                                "version_value": "1.4.82"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EFM Networks Co., Ltd"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user\u2019s passwords."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578",
                  "refsource": "MISC",
                  "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2021-26620",
        "datePublished": "2022-03-25T18:02:37.000Z",
        "dateReserved": "2021-02-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T20:26:25.555Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-7847 (GCVE-0-2020-7847)

    Vulnerability from nvd – Published: 2021-02-23 15:39 – Updated: 2024-08-04 09:41
    VLAI
    Summary
    The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36.
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    EFM Networks ipTIME NAS Affected: 1.4.36
    Create a notification for this product.
    Credits
    JaeHyung Lee, InHyung Lee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:41:01.870Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ipTIME NAS",
              "vendor": "EFM Networks",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.4.36"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JaeHyung Lee, InHyung Lee"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-23T15:39:06.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vuln@krcert.or.kr",
              "ID": "CVE-2020-7847",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ipTIME NAS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.4.36"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EFM Networks"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JaeHyung Lee, InHyung Lee"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921",
                  "refsource": "CONFIRM",
                  "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2020-7847",
        "datePublished": "2021-02-23T15:39:06.000Z",
        "dateReserved": "2020-01-22T00:00:00.000Z",
        "dateUpdated": "2024-08-04T09:41:01.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23771 (GCVE-0-2022-23771)

    Vulnerability from cvelistv5 – Published: 2022-10-17 00:00 – Updated: 2025-05-09 14:49
    VLAI
    Title
    IPTIME NAS1DUAL CSRF Vulnerability
    Summary
    This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Vendor Product Version
    EFM Networks Co., Ltd NAS1dual, NAS2dual, NAS4dual Affected: unspecified , < 1.4.86 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:51:46.060Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23771",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-09T14:26:23.184747Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-09T14:49:10.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Linux, Windows and etc.."
              ],
              "product": "NAS1dual, NAS2dual, NAS4dual",
              "vendor": "EFM Networks Co., Ltd",
              "versions": [
                {
                  "lessThan": "1.4.86",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-17T00:00:00.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66964"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPTIME NAS1DUAL CSRF Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2022-23771",
        "datePublished": "2022-10-17T00:00:00.000Z",
        "dateReserved": "2022-01-19T00:00:00.000Z",
        "dateUpdated": "2025-05-09T14:49:10.046Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23765 (GCVE-0-2022-23765)

    Vulnerability from cvelistv5 – Published: 2022-08-17 20:24 – Updated: 2024-08-03 03:51
    VLAI
    Title
    IPTIME NAS family CSRF vulnerability
    Summary
    This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    EFM Networks Co.,Ltd NAS1dual, NAS2dual, NAS4dual Affected: unspecified , < 1.4.86 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:51:46.056Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Linux, Windows and etc.."
              ],
              "product": "NAS1dual, NAS2dual, NAS4dual",
              "vendor": "EFM Networks Co.,Ltd",
              "versions": [
                {
                  "lessThan": "1.4.86",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-17T20:24:23.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPTIME NAS family CSRF vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vuln@krcert.or.kr",
              "ID": "CVE-2022-23765",
              "STATE": "PUBLIC",
              "TITLE": "IPTIME NAS family CSRF vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "NAS1dual, NAS2dual, NAS4dual",
                          "version": {
                            "version_data": [
                              {
                                "platform": "Linux, Windows and etc..",
                                "version_affected": "\u003c",
                                "version_value": "1.4.86"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EFM Networks Co.,Ltd"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877",
                  "refsource": "MISC",
                  "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66877"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2022-23765",
        "datePublished": "2022-08-17T20:24:23.000Z",
        "dateReserved": "2022-01-19T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:51:46.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26620 (GCVE-0-2021-26620)

    Vulnerability from cvelistv5 – Published: 2022-03-25 18:02 – Updated: 2024-08-03 20:26
    VLAI
    Title
    IPTIME NAS2dual improper authentication vulnerability
    Summary
    An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user’s passwords.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:26:25.555Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Windows"
              ],
              "product": "ipTIME NAS product (NAS1, 2, 3, 4, 1dual, 2dual 4dual)",
              "vendor": "EFM Networks Co., Ltd",
              "versions": [
                {
                  "lessThan": "1.4.82",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user\u2019s passwords."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-25T18:02:37.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPTIME NAS2dual improper authentication vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vuln@krcert.or.kr",
              "ID": "CVE-2021-26620",
              "STATE": "PUBLIC",
              "TITLE": "IPTIME NAS2dual improper authentication vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ipTIME NAS product (NAS1, 2, 3, 4, 1dual, 2dual 4dual)",
                          "version": {
                            "version_data": [
                              {
                                "platform": "Windows",
                                "version_affected": "\u003c",
                                "version_value": "1.4.82"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EFM Networks Co., Ltd"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user\u2019s passwords."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287 Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578",
                  "refsource": "MISC",
                  "url": "https://www.krcert.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=66578"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2021-26620",
        "datePublished": "2022-03-25T18:02:37.000Z",
        "dateReserved": "2021-02-03T00:00:00.000Z",
        "dateUpdated": "2024-08-03T20:26:25.555Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-7847 (GCVE-0-2020-7847)

    Vulnerability from cvelistv5 – Published: 2021-02-23 15:39 – Updated: 2024-08-04 09:41
    VLAI
    Summary
    The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36.
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    Impacted products
    Vendor Product Version
    EFM Networks ipTIME NAS Affected: 1.4.36
    Create a notification for this product.
    Credits
    JaeHyung Lee, InHyung Lee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:41:01.870Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ipTIME NAS",
              "vendor": "EFM Networks",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.4.36"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JaeHyung Lee, InHyung Lee"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-23T15:39:06.000Z",
            "orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
            "shortName": "krcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vuln@krcert.or.kr",
              "ID": "CVE-2020-7847",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ipTIME NAS",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "1.4.36"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "EFM Networks"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JaeHyung Lee, InHyung Lee"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921",
                  "refsource": "CONFIRM",
                  "url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35921"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
        "assignerShortName": "krcert",
        "cveId": "CVE-2020-7847",
        "datePublished": "2021-02-23T15:39:06.000Z",
        "dateReserved": "2020-01-22T00:00:00.000Z",
        "dateUpdated": "2024-08-04T09:41:01.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }