Details of VAR-201302-0538

ID

VAR-201302-0538

CVE

CVE-2013-10049

TITLE

Multiple vulnerabilities in RaidSonic IB-NAS5220/IB-NAS4220-B

Trust: 0.6

sources: CNVD: CNVD-2013-01131

DESCRIPTION

An OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands. The RaidSonic IB-NAS5220/IB-NAS4220-B are two NAS devices. The RaidSonic IB-NAS5220/IB-NAS4220-B has multiple security vulnerabilities, including authentication bypass, cross-site scripting, and OS command injection, allowing attackers to exploit vulnerabilities to obtain sensitive information or execute arbitrary code. RaidSonic IB-NAS5220 and IB-NAS422-B are prone to multiple security vulnerabilities, including: 1. An authentication-bypass vulnerability 2. An HTML-injection vulnerability 3

Trust: 1.71

sources: NVD: CVE-2013-10049 // CNVD: CNVD-2013-01131 // BID: 57958

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-01131

AFFECTED PRODUCTS

vendor:	raidsonic	model:	ib-nas5220 2.6.3-20100206s	scope:	-	version:	-	Trust: 0.6
vendor:	raidsonic	model:	ib-nas4220-b 2.6.3.ib.1.rs.1	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2013-01131

CVSS

SEVERITY

CVSSV2

CVSSV3

disclosure@vulncheck.com:	CVE-2013-10049
value:	CRITICAL
Trust: 1.0

sources: NVD: CVE-2013-10049

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2013-10049

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201302-374

TYPE

Unknown

Trust: 0.3

sources: BID: 57958

EXTERNAL IDS

db:	EXPLOIT-DB	id:	24499	Trust: 1.6
db:	BID	id:	57958	Trust: 1.5
db:	EXPLOIT-DB	id:	28508	Trust: 1.0
db:	NVD	id:	CVE-2013-10049	Trust: 1.0
db:	CNVD	id:	CNVD-2013-01131	Trust: 0.6
db:	CNNVD	id:	CNNVD-201302-374	Trust: 0.6

sources: CNVD: CNVD-2013-01131 // BID: 57958 // CNNVD: CNNVD-201302-374 // NVD: CVE-2013-10049

REFERENCES

url:	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb	Trust: 1.0
url:	https://web.archive.org/web/20160616174425/http://www.s3cur1ty.de/m1adv2013-010	Trust: 1.0
url:	https://www.vulncheck.com/advisories/raidsonic-nas-devices-unauth-rce	Trust: 1.0
url:	https://www.exploit-db.com/exploits/24499	Trust: 1.0
url:	https://www.exploit-db.com/exploits/28508	Trust: 1.0
url:	http://www.exploit-db.com/exploits/24499/	Trust: 0.6
url:	http://www.securityfocus.com/bid/57958	Trust: 0.6

sources: CNVD: CNVD-2013-01131 // CNNVD: CNNVD-201302-374 // NVD: CVE-2013-10049

CREDITS

m-1-k-3

Trust: 0.9

sources: BID: 57958 // CNNVD: CNNVD-201302-374

SOURCES

db:	CNVD	id:	CNVD-2013-01131
db:	BID	id:	57958
db:	CNNVD	id:	CNNVD-201302-374
db:	NVD	id:	CVE-2013-10049

LAST UPDATE DATE

2025-08-07T23:30:12.294000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-01131	date:	2013-02-21T00:00:00
db:	BID	id:	57958	date:	2013-09-25T00:15:00
db:	CNNVD	id:	CNNVD-201302-374	date:	2013-02-22T00:00:00
db:	NVD	id:	CVE-2013-10049	date:	2025-08-06T15:15:30.450

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-01131	date:	2013-02-21T00:00:00
db:	BID	id:	57958	date:	2013-02-14T00:00:00
db:	CNNVD	id:	CNNVD-201302-374	date:	2013-02-22T00:00:00
db:	NVD	id:	CVE-2013-10049	date:	2025-08-01T21:15:26.750