PT-2025-31686 · Raidsonic · Ib-Nas4220+1
Published
2025-08-01
·
Updated
2025-08-01
·
CVE-2013-10049
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Raidsonic NAS devices versions IB-NAS5220 and IB-NAS4220
Description
An OS command injection issue exists due to improper sanitization of user-supplied input. The
timeHandler.cgi API endpoint is vulnerable, allowing remote attackers to inject arbitrary shell commands via the timeZone parameter in a POST request. The endpoint is unauthenticated.Recommendations
Apply input validation and sanitization to the
timeZone parameter of the timeHandler.cgi endpoint.Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ib-Nas4220
Ib-Nas5220