What are you looking for ?
Advertise with us
RAIDON

Qnap Security Advisory Bulletin ID: QSA-23-41, QSA-23-42, QSA-23-44, QSA-23-52

Concerning vulnerabilities in QTS, QuTS hero, and QuTScloud, Container Station, and Video Station

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of its products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

Vulnerabilities in QTS, QuTS hero, and QuTScloud

Security ID: QSA-23-41
Release date: October 14, 2023
CVE identifier: CVE-2023-32970 | CVE-2023-32973
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, 5.0.x, 4.5.x; QuTS hero h5.1.x, h5.0.x, h4.5.x; QuTScloud c5.x

Summary
Two vulnerabilities have been reported to affect several Qnap OS versions:

  • CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.
  • CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.

The company have already fixed vulnerabilities in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.0.2444 build 20230629 and later

QTS 5.0.x

QTS 5.0.1.2425 build 20230609 and later

QTS 4.5.x

QTS 4.5.4.2467 build 20230718 and later

QuTS hero h5.1.x

QuTS hero h5.1.0.2424 build 20230609 and later

QuTS hero h5.0.x

QuTS hero h5.0.1.2515 build 20230907 and later

QuTS hero h4.5.x

QuTS hero h4.5.4.2476 build 20230728 and later

QuTScloud c5.x

QuTScloud c5.1.0.2498 and later

More information

 

Vulnerability in QTS, QuTS hero, and QuTScloud

Security ID: QSA-23-42
Release date: October 14, 2023
CVE identifier: CVE-2023-32974
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x

Summary
A path traversal vulnerability has been reported to affect several Qnap OS versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.0.2444 build 20230629 and later

QuTS hero h5.1.x

QuTS hero h5.1.0.2424 build 20230609 and later

QuTScloud c5.x

QuTScloud c5.1.0.2498 and later

More information

 

Vulnerability in Container Station
Security ID: QSA-23-44
Release date: October 14, 2023
CVE identifier: CVE-2023-32976
Severity: Medium
Status: Resolved
Affected products: Container Station 2.6.x

Summary
An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network.

The company have already fixed vulnerability in following version:

Affected product

Fixed version

Container Station 2.6.x

Container Station 2.6.7.44 and later

More information

 

Vulnerabilities in Video Station

Security ID: QSA-23-52
Release date: October 14, 2023
CVE identifier: CVE-2023-34975 | CVE-2023-34976 | CVE-2023-34977
Severity: High
Status: Resolved
Affected products: Video Station 5.7.x

Summary 3 vulnerabilities have been reported to affect Video Station:

  • CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities

  • CVE-2023-34977: Cross-site scripting (XSS) vulnerability

If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.

The company have already fixed vulnerability in following version:

Affected product

Fixed version

Video Station 5.7.x

Video Station 5.7.0 (2023/07/27) and later

More information

Contact: questions regarding this issue

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E