A vulnerability was found in QNAP Photo Station 4.0.3 and classified as problematic. Affected by this issue is some unknown processing of the file photo/p/api/list.php. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

QNAP Photo Station before firmware 4.0.3 build0912 allows remote attackers to list OS user accounts via a request to photo/p/api/list.php.

The weakness was presented 09/27/2013 by Tom Neaves with Trustwave SpiderLabs as Trustwave SpiderLabs Security Advisory TWSL2013-029 as confirmed advisory (Website). The advisory is available at trustwave.com. The public release was coordinated in cooperation with the vendor. This vulnerability is handled as CVE-2013-5760 since 09/18/2013. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.

After immediately, there has been an exploit disclosed. It is declared as highly functional. By approaching the search of inurl:photo/p/api/list.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 4.0.3 eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (89117).

Productinfo

Vendor

• QNAP

Name

• Photo Station

Version

• 4.0.3

License

• commercial

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion