Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c126.96.36.1999 and later QuTS hero h188.8.131.529 build 20220215 and later QuTS hero h184.108.40.2061 build 20220218 and later QTS 220.127.116.116 build 20220324 and later QTS 18.104.22.1681 build 20220329 and later
CWE-22 - Path Traversal
Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.