Skip to main content

Helpdesk CVE-2018-0714

CRITICAL
Command Injection (CWE-77)
2018-08-13 security@qnapsecurity.com.tw
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 13, 2018 - 13:29 nvd
CRITICAL 9.8

DescriptionNVD

Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application.

AnalysisAI

Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow remote attackers to run arbitrary commands in the compromised application. Affected products include: Qnap Helpdesk.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

CVE-2025-10655 HIGH POC
8.6 Dec 09

SQL injection in Frappe HelpDesk 1.14.0 dashboard functionality allows authenticated attackers to execute arbitrary SQL

CVE-2020-11431 CRITICAL
9.1 May 07

The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remot

CVE-2021-28814 HIGH
8.8 Jun 11

An improper access control vulnerability has been reported to affect QNAP NAS. Rated high severity (CVSS 8.8), this vuln

CVE-2024-58343 MEDIUM POC
4.3 Apr 16

Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie d

CVE-2024-50394 HIGH
7.7 Mar 07

An improper certificate validation vulnerability has been reported to affect Helpdesk. Rated high severity (CVSS 7.7), t

CVE-2020-2500 MEDIUM
6.5 Jul 01

This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Rated med

CVE-2026-23758 MEDIUM
6.4 Apr 20

GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subjec

CVE-2026-23756 MEDIUM
5.1 Apr 20

Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary

CVE-2026-23757 MEDIUM
5.1 Apr 20

Stored cross-site scripting in GFI HelpDesk before version 4.99.10 allows authenticated attackers to inject arbitrary Ja

CVE-2026-23753 MEDIUM
4.8 Apr 20

GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the

CVE-2026-23752 MEDIUM
4.8 Apr 20

GFI HelpDesk before version 4.99.9 allows authenticated administrators to inject stored cross-site scripting (XSS) paylo

CVE-2024-27125 MEDIUM
4.8 Sep 06

A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. Rated medium severity (CVSS 4.8), this

Share

CVE-2018-0714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy