CVE-2025-58463
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-11-17
Assigner: QNAP Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qnap | download_station | 5.10.0.291 |
| qnap | quts_hero | h5.2.1.2929 |
| qnap | quts_hero | h5.2.1.2940 |
| qnap | download_station | From 5.10.0.291 (inc) to 5.10.0.305 (exc) |
| qnap | qts | 5.2.1.2930 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a relative path traversal issue in Download Station. If a remote attacker obtains an administrator account, they can exploit this flaw to read files or system data that they should not normally have access to by manipulating file paths.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with administrator access to read unexpected files or sensitive system data, potentially leading to unauthorized disclosure of confidential information or system compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Download Station to version 5.10.0.305 or later, or at least to version 5.10.0.304 or later, as these versions contain the fix for the vulnerability.