Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-4dtz-r65a-n7f9
SummaryAn OS command injection vulnerability exists in multiple Raidsonic NAS devices—specifically tested on IB-NAS5220 and IB-NAS4220—via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands.
Aliases
0
alias CVE-2013-10049
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2013-10049
reference_id
reference_type
scores
0
value 0.78102
scoring_system epss
scoring_elements 0.9904
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2013-10049
1
reference_url https://www.exploit-db.com/exploits/24499
reference_id 24499
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-06T14:49:40Z/
url https://www.exploit-db.com/exploits/24499
2
reference_url https://www.exploit-db.com/exploits/28508
reference_id 28508
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-06T14:49:40Z/
url https://www.exploit-db.com/exploits/28508
3
reference_url https://web.archive.org/web/20160616174425/http://www.s3cur1ty.de/m1adv2013-010
reference_id m1adv2013-010
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-06T14:49:40Z/
url https://web.archive.org/web/20160616174425/http://www.s3cur1ty.de/m1adv2013-010
4
reference_url https://www.vulncheck.com/advisories/raidsonic-nas-devices-unauth-rce
reference_id raidsonic-nas-devices-unauth-rce
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-06T14:49:40Z/
url https://www.vulncheck.com/advisories/raidsonic-nas-devices-unauth-rce
5
reference_url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
reference_id raidsonic_nas_ib5220_exec_noauth.rb
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-08-06T14:49:40Z/
url https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
Weaknesses
0
cwe_id 78
name Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
description The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Exploits
0
date_added null
description 
Different Raidsonic NAS devices are vulnerable to OS command injection via the web
          interface. The vulnerability exists in timeHandler.cgi, which is accessible without
          authentication. This module has been tested with the versions IB-NAS5220 and
          IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon
          configuration, this module is set to ManualRanking and could cause target instability.
required_action null
due_date null
notes 
Reliability:
  - unknown-reliability
Stability:
  - unknown-stability
SideEffects:
  - unknown-side-effects
known_ransomware_campaign_use false
source_date_published 2013-02-04
exploit_type null
platform Unix
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
Severity_range_score9.3 - 9.3
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-4dtz-r65a-n7f9