Qnap Security Advisory on Fifteen Resolved Vulnerabilities
Concerning QTS and QuTS hero NAS OSs, and Apps for NAS
This is a Press Release edited by StorageNewsletter.com on September 9, 2024 at 2:01 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of its products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes following:
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-24-20)
- Multiple Vulnerabilities in Notes Station 3 (ID: QSA-24-21)
- Vulnerability in QVR Smart Client (ID: QSA-24-22)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-24-23)
- Vulnerabilities in Video Station (ID: QSA-24-24)
- Vulnerability in Music Station (ID: QSA-24-25)
- Vulnerability in Legacy Versions of QTS (ID: QSA-24-26)
- Vulnerability in curl (ID: QSA-24-27)
- Vulnerabilities in QTS and QuTS hero (ID: QSA-24-28)
- Vulnerability in Helpdesk (ID: QSA-24-29)
- Vulnerability in QuLog Center (ID: QSA-24-30)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-24-32)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-24-33)
- Vulnerability in QuMagie (ID: QSA-24-34)
- Vulnerability in Download Station (ID: QSA-24-35)
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-20
Release date: April 25, 2024
CVE identifier: CVE-2023-50361 | CVE-2023-50362 | CVE-2023-50363 | CVE-2023-50364 | CVE-2023-50366 | CVE-2023-51366 | CVE-2023-51367 | CVE-2023-51368 | CVE-2024-21897 | CVE-2024-21898 | CVE-2024-21903
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions:
- CVE-2023-50361, CVE-2023-50362, CVE-2023-50364, CVE-2023-51367: If exploited, the buffer copy without checking size of input vulnerabilities could allow remote attackers who have gained user access to execute arbitrary code.
- CVE-2023-50363: If exploited, the incorrect authorization vulnerability could allow remote attackers who have gained user access to bypass 2-step verification.
- CVE-2023-50366: If exploited, the cross-site scripting (XSS) vulnerability could allow attackers who have gained administrator access to inject malicious code.
- CVE-2023-51366: If exploited, the path traversal vulnerability could allow remote attackers who have gained user access to traverse the file system and read sensitive data.
- CVE-2023-51368: If exploited, the NULL pointer dereference vulnerability could allow remote attackers who have gained user access to launch a denial-of-service (DoS) attack.
- CVE-2024-21897: If exploited, the cross-site scripting (XSS) vulnerability could allow attackers who have gained user access to inject malicious code.
- CVE-2024-21898, CVE-2024-21903: If exploited, the OS command injection vulnerabilities could allow remote attackers who have gained user access to inject malicious commands.
Multiple Vulnerabilities in Notes Station 3
Security ID: QSA-24-21
Release date: September 7, 2024
CVE identifier: CVE-2024-27122 | CVE-2024-27126
Severity: Medium
Status: Resolved
Affected products: Notes Station 3 3.9.x
Summary
Multiple vulnerabilities have been reported to affect Notes Station 3:
-
CVE-2024-27122, CVE-2024-27126: If exploited, the cross-site scripting (XSS) vulnerabilities could allow remote attackers who have gained user access to inject malicious code.
Vulnerability in QVR Smart Client
Security ID: QSA-24-22
Release date: September 7, 2024
CVE identifier: CVE-2022-27592
Severity: Medium
Status: Resolved
Affected products: QVR Smart Client 2.4.x
Summary
|
Affected product |
Fixed version |
|
QVR Smart Client 2.4.x |
QVR Smart Client 2.4.0.0570 and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-23
Release date: May 21, 2024
CVE identifier: CVE-2024-21902 | CVE-2024-27127 | CVE-2024-27128 | CVE-2024-27129 | CVE-2024-27130
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions:
- CVE-2024-21902: If exploited, the incorrect permission assignment for critical resources vulnerability could allow remote attackers who have gained user access to read or modify critical resources.
- CVE-2024-27127: If exploited, the double free vulnerability could allow remote attackers who have gained user access to execute arbitrary code.
- CVE-2024-27128, CVE-2024-27129, CVE-2024-27130: If exploited, the buffer copy without checking size of input vulnerabilities could allow remote attackers who have gained user access to execute arbitrary code.
- CVE-2024-21904: If exploited, the path traversal vulnerability could allow remote users to read the contents of unexpected files and expose sensitive data.
Vulnerabilities in Video Station
Security ID: QSA-24-24
Release date: September 7, 2024
CVE identifier: CVE-2023-47563 | CVE-2023-50360
Severity: High
Status: Resolved
Affected products: Video Station 5.x
Summary
Multiple vulnerabilities have been reported to affect Video Station:
- CVE-2023-47563: If exploited, the OS command injection vulnerability could allow remote attackers to execute arbitrary commands on the OS through the application’s input.
- CVE-2023-50360: If exploited, the SQL injection vulnerability could allow attackers to inject malicious code.
Vulnerability in Music Station
Security ID: QSA-24-25
Release date: September 7, 2024
CVE identifier: CVE-2023-45038
Severity: Medium
Status: Resolved
Affected products: Music Station 5.x
Summary
|
Affected product |
Fixed version |
|
Music Station 5.x |
Music Station 5.4.0 and later |
Vulnerability in Legacy Versions of QTS
Security ID: QSA-24-26
Release date: September 7, 2024
CVE identifier: CVE-2023-39300
Severity: Medium
Status: Resolved
Affected products: QTS 4.3.x, 4.2.x
Summary
|
Affected product |
Fixed version |
|
QTS 4.3.6 |
QTS 4.3.6.2805 build 20240619 and later |
|
QTS 4.3.4 |
QTS 4.3.4.2814 build 20240618 and later |
|
QTS 4.3.3 |
QTS 4.3.3.2784 build 20240619 and later |
|
QTS 4.2.6 |
QTS 4.2.6 build 20240618 and later |
Vulnerability in curl
Security ID: QSA-24-27
Release date: September 7, 2024
CVE identifier: CVE-2023-38545
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.7.2770 build 20240520 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.7.2770 build 20240520 and later |
Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-28
Release date: September 7, 2024
CVE identifier: CVE-2024-32771 | CVE-2023-39298
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions:
- CVE-2024-32771: If exploited, the improper restriction of excessive authentication attempts vulnerability could allow attackers to use bruce force attacks to gain privileged access.
- CVE-2023-39298: If exploited, the missing authorization vulnerability could allow local attackers who have gained user access to access data or perform actions without the proper privileges.
Vulnerability in Helpdesk
Security ID: QSA-24-29
Release date: September 7, 2024
CVE identifier: CVE-2024-27125
Severity: Low
Status: Resolved
Affected products: Helpdesk 3.3.x
Summary
|
Affected product |
Fixed version |
|
Helpdesk 3.3.x |
Helpdesk 3.3.1 and later |
Vulnerability in QuLog Center
Security ID: QSA-24-30
Release date: September 7, 2024
CVE identifier: CVE-2024-32762
Severity: Medium
Status: Resolved
Affected products: QuLog Center 1.8.x, 1.7.x
Summary
|
Affected product |
Fixed version |
|
QuLog Center 1.8.x |
QuLog Center 1.8.0.872 (2024/06/17) and later |
|
QuLog Center 1.7.x |
QuLog Center 1.7.0.827 (2024/06/17) and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-32
Release date: September 7, 2024
CVE identifier: CVE-2023-34974 | CVE-2023-34979
Severity: Medium
Status: Resolved
Affected products: QTS 4.5.x, QuTS hero h4.5.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions.
- CVE-2023-34974: If exploited, the OS command injection vulnerability could allow remote attackers who have gained user access to inject malicious commands.
- CVE-2023-34979: If exploited, the OS command injection vulnerability could allow remote attackers who have gained administrator access to inject malicious commands.
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-33
Release date: September 7, 2024
CVE identifier: CVE-2024-21906 | CVE-2024-32763 | CVE-2024-38641
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions:
- CVE-2024-32763: If exploited, the buffer copy without checking size of input vulnerability could allow remote attackers who have gained user access to execute arbitrary code.
- CVE-2024-38641: If exploited, the OS command injection vulnerability could allow local attackers who have gained user access to inject malicious commands.
- CVE-2024-21906: If exploited, the OS command injection vulnerability could allow remote attackers who have gained administrator access to inject malicious commands.
Vulnerability in QuMagie
Security ID: QSA-24-34
Release date: September 7, 2024
CVE identifier: CVE-2024-38642
Severity: Medium
Status: Resolved
Affected products: QuMagie 2.3.x
Summary
|
Affected product |
Fixed version |
|
QuMagie 2.3.x |
QuMagie 2.3.1 and later |
Vulnerability in Download Station
Security ID: QSA-24-35
Release date: September 7, 2024
CVE identifier: CVE-2024-38640
Severity: Medium
Status: Resolved
Affected products: Download Station 5.8.x
Summary
|
Affected product |
Fixed version |
|
Download Station 5.8.x |
Download Station 5.8.6.283 (2024/06/21) and later |
Subscribe to our free daily newsletter
