Qnap Resolved Vulnerabilities: Two Security Advisories Bulletin ID QSA-23-24 and QSA-23-50

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

Vulnerability in QTS, QuTS hero, and QuTScloud
Security ID: QSA-23-24
Release date: November 11, 2023
CVE identifier: CVE-2023-23367
Severity: Medium
Status: Resolved
Affected products: QTS 5.0.x, QuTS hero h5.0.x, QuTScloud c5.x

Summary
An OS command injection vulnerability has been reported to affect several Qnap OSs. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

The company have already fixed the vulnerability in following versions:

Affected product	Fixed version
QTS 5.0.x	QTS 5.0.1.2376 build 20230421 and later
QuTS hero h5.0.x	QuTS hero h5.0.1.2376 build 20230421 and later
QuTScloud c5.x	QuTScloud c5.1.0.2498 and later

Information

Multiple Vulnerabilities in QuMagie
Security ID: QSA-23-50
Release date: November 11, 2023
CVE identifier: CVE-2023-39295 | CVE-2023-41284 | CVE-2023-41285
Severity: High
Status: Resolved
Affected products: QuMagie 2.1.x

Summary
Multiple vulnerabilities have been reported to affect QuMagie:

CVE-2023-39295: If exploited, the OS command injection vulnerability could allow authenticated users to execute commands via a network.
CVE-2023-41284: If exploited, the SQL injection vulnerability could allow authenticated users to inject malicious code via a network.
CVE-2023-41285: If exploited, the SQL injection vulnerability could allow authenticated users to inject malicious code via a network.

The company have already fixed the vulnerabilities in the following affected version:

Affected product	Fixed version
QuMagie 2.1.x	QuMagie 2.1.4 and later

Information