Details of VAR-201406-0075

ID

VAR-201406-0075

CVE

CVE-2013-5760

TITLE

QNAP Photo Station In OS Vulnerability that lists all user accounts

Trust: 0.8

sources: JVNDB: JVNDB-2013-006580

DESCRIPTION

QNAP Photo Station before firmware 4.0.3 build0912 allows remote attackers to list OS user accounts via a request to photo/p/api/list.php. QNAP Photo Station is a network storage device that can be used for image storage. QNAP Photo Station is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. Versions prior to QNAP Photo Station 4.0.3 build0912 are vulnerable. QNAP Systems QNAP Photo Station is a web-based photo album application from QNAP Systems, which supports organizing and sharing photos and videos on the NAS via the Internet

Trust: 2.52

sources: NVD: CVE-2013-5760 // JVNDB: JVNDB-2013-006580 // CNVD: CNVD-2014-03648 // BID: 68222 // VULHUB: VHN-65762

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03648

AFFECTED PRODUCTS

vendor:	qnap	model:	photo station	scope:	eq	version:	4.0.3	Trust: 1.5
vendor:	qnap	model:	photo station	scope:	-	version:	-	Trust: 1.4
vendor:	qnap	model:	photo station	scope:	lte	version:	4.0.3	Trust: 1.0
vendor:	qnap	model:	photo station	scope:	eq	version:	-	Trust: 1.0
vendor:	qnap	model:	photo station	scope:	lt	version:	4.0.3 build0912	Trust: 0.8
vendor:	qnap	model:	photo station build0912	scope:	ne	version:	4.0.3	Trust: 0.3

sources: CNVD: CNVD-2014-03648 // BID: 68222 // JVNDB: JVNDB-2013-006580 // CNNVD: CNNVD-201406-116 // NVD: CVE-2013-5760

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-5760
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-5760
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-03648
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201406-116
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-65762
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-5760
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-03648
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-65762
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-03648 // VULHUB: VHN-65762 // JVNDB: JVNDB-2013-006580 // CNNVD: CNNVD-201406-116 // NVD: CVE-2013-5760

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-65762 // JVNDB: JVNDB-2013-006580 // NVD: CVE-2013-5760

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-116

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201406-116

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-006580

PATCH

title:	Photo Station	url:	http://www.qnap.com/jp/?lang=jp&sn=3993	Trust: 0.8
title:	QNAP Photo Station Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/46387	Trust: 0.6

sources: CNVD: CNVD-2014-03648 // JVNDB: JVNDB-2013-006580

EXTERNAL IDS

db:	NVD	id:	CVE-2013-5760	Trust: 3.4
db:	JVNDB	id:	JVNDB-2013-006580	Trust: 0.8
db:	CNNVD	id:	CNNVD-201406-116	Trust: 0.7
db:	CNVD	id:	CNVD-2014-03648	Trust: 0.6
db:	XF	id:	89117	Trust: 0.6
db:	XF	id:	20135760	Trust: 0.6
db:	BID	id:	68222	Trust: 0.4
db:	VULHUB	id:	VHN-65762	Trust: 0.1

sources: CNVD: CNVD-2014-03648 // VULHUB: VHN-65762 // BID: 68222 // JVNDB: JVNDB-2013-006580 // CNNVD: CNNVD-201406-116 // NVD: CVE-2013-5760

REFERENCES

url:	https://www3.trustwave.com/spiderlabs/advisories/twsl2013-029.txt	Trust: 3.4
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/89117	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-5760	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-5760	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/89117	Trust: 0.6
url:	http://www.qnap.com/useng/index.php?sn=7269	Trust: 0.3

sources: CNVD: CNVD-2014-03648 // VULHUB: VHN-65762 // BID: 68222 // JVNDB: JVNDB-2013-006580 // CNNVD: CNNVD-201406-116 // NVD: CVE-2013-5760

CREDITS

Tom Neaves of Trustwave SpiderLabs

Trust: 0.3

sources: BID: 68222

SOURCES

db:	CNVD	id:	CNVD-2014-03648
db:	VULHUB	id:	VHN-65762
db:	BID	id:	68222
db:	JVNDB	id:	JVNDB-2013-006580
db:	CNNVD	id:	CNNVD-201406-116
db:	NVD	id:	CVE-2013-5760

LAST UPDATE DATE

2024-11-23T22:39:01.229000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-03648	date:	2014-06-13T00:00:00
db:	VULHUB	id:	VHN-65762	date:	2017-08-29T00:00:00
db:	BID	id:	68222	date:	2013-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2013-006580	date:	2014-06-11T00:00:00
db:	CNNVD	id:	CNNVD-201406-116	date:	2014-06-10T00:00:00
db:	NVD	id:	CVE-2013-5760	date:	2024-11-21T01:58:03.983

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-03648	date:	2014-06-13T00:00:00
db:	VULHUB	id:	VHN-65762	date:	2014-06-09T00:00:00
db:	BID	id:	68222	date:	2013-09-27T00:00:00
db:	JVNDB	id:	JVNDB-2013-006580	date:	2014-06-11T00:00:00
db:	CNNVD	id:	CNNVD-201406-116	date:	2014-06-10T00:00:00
db:	NVD	id:	CVE-2013-5760	date:	2014-06-09T19:55:09.757