{"api_version":"1","generated_at":"2026-04-24T05:05:59+00:00","cve":"CVE-2021-32530","urls":{"html":"https://cve.report/CVE-2021-32530","api":"https://cve.report/api/cve/CVE-2021-32530.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32530","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32530"},"summary":{"title":"CVE-2021-32530","description":"OS command injection vulnerability in Array function in QSAN XEVO allows remote unauthenticated attackers to execute arbitrary commands via status parameter. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0.","state":"PUBLIC","assigner":"cve@cert.org.tw","published_at":"2021-07-07 14:15:00","updated_at":"2021-09-20 12:36:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://www.twcert.org.tw/tw/cp-132-4886-d3b14-1.html","name":"N/A","refsource":"CONFIRM","tags":[],"title":"TWCERT/CC台灣電腦網路危機處理暨協調中心-QSAN XEVO - Command Injection Following via Array function","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32530","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32530","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32530","vulnerable":"1","versionEndIncluding":"1.2.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"qsan","cpe5":"xevo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"AKA":"TWCERT/CC","ASSIGNER":"cve@cert.org.tw","DATE_PUBLIC":"2021-07-07T12:12:00.000Z","ID":"CVE-2021-32530","STATE":"PUBLIC","TITLE":"QSAN XEVO - Command Injection Following via Array function"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"XEVO","version":{"version_data":[{"version_affected":"<=","version_value":"1.2.0"}]}}]},"vendor_name":"QSAN"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"OS command injection vulnerability in Array function in QSAN XEVO allows remote unauthenticated attackers to execute arbitrary commands via status parameter. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78 OS Command Injection"}]}]},"references":{"reference_data":[{"name":"https://www.twcert.org.tw/tw/cp-132-4886-d3b14-1.html","refsource":"MISC","url":"https://www.twcert.org.tw/tw/cp-132-4886-d3b14-1.html"}]},"solution":[{"lang":"eng","value":"QSAN XEVO v2.1.0"}],"source":{"advisory":"TVN-202104035","discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2021-07-07 14:15:00","lastModifiedDate":"2021-09-20 12:36:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:qsan:xevo:*:*:*:*:*:*:*:*","versionEndIncluding":"1.2.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32530","Ordinal":"207915","Title":"CVE-2021-32530","CVE":"CVE-2021-32530","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32530","Ordinal":"1","NoteData":"OS command injection vulnerability in Array function in QSAN XEVO allows remote unauthenticated attackers to execute arbitrary commands via status parameter. The referred vulnerability has been solved with the updated version of QSAN XEVO v2.1.0.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32530","Ordinal":"2","NoteData":"2021-07-07","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32530","Ordinal":"3","NoteData":"2021-07-22","Type":"Other","Title":"Modified"}]}}}