All the vulnerabilites related to QNAP Systems Inc. - Notes Station 3
cve-2024-27126
Vulnerability from cvelistv5
Published
2024-09-06 16:26
Modified
2024-09-06 17:50
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
Notes Station 3 3.9.6 and later
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | QNAP Systems Inc. | Notes Station 3 |
Version: 3.9.x < 3.9.6 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-27126", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-06T17:50:29.980137Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-06T17:50:39.130Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [ { "lessThan": "3.9.6", "status": "affected", "version": "3.9.x", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eNotes Station 3 3.9.6 and later\u003cbr\u003e" } ], "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later" } ], "impacts": [ { "capecId": "CAPEC-63", "descriptions": [ { "lang": "en", "value": "CAPEC-63" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-06T16:26:37.078Z", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap" }, "references": [ { "url": "https://www.qnap.com/en/security-advisory/qsa-24-21" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eNotes Station 3 3.9.6 and later\u003cbr\u003e" } ], "value": "We have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later" } ], "source": { "advisory": "QSA-24-21", "discovery": "EXTERNAL" }, "title": "Notes Station 3", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2024-27126", "datePublished": "2024-09-06T16:26:37.078Z", "dateReserved": "2024-02-20T09:36:58.212Z", "dateUpdated": "2024-09-06T17:50:39.130Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-27122
Vulnerability from cvelistv5
Published
2024-09-06 16:26
Modified
2024-09-06 17:27
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
Notes Station 3 3.9.6 and later
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | QNAP Systems Inc. | Notes Station 3 |
Version: 3.9.x < 3.9.6 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-27122", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-06T17:27:16.247409Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-06T17:27:22.814Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [ { "lessThan": "3.9.6", "status": "affected", "version": "3.9.x", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eNotes Station 3 3.9.6 and later\u003cbr\u003e" } ], "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later" } ], "impacts": [ { "capecId": "CAPEC-63", "descriptions": [ { "lang": "en", "value": "CAPEC-63" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-09-06T16:26:32.362Z", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap" }, "references": [ { "url": "https://www.qnap.com/en/security-advisory/qsa-24-21" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eNotes Station 3 3.9.6 and later\u003cbr\u003e" } ], "value": "We have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later" } ], "source": { "advisory": "QSA-24-21", "discovery": "EXTERNAL" }, "title": "Notes Station 3", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2024-27122", "datePublished": "2024-09-06T16:26:32.362Z", "dateReserved": "2024-02-20T09:36:58.211Z", "dateUpdated": "2024-09-06T17:27:22.814Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-38643
Vulnerability from cvelistv5
Published
2024-11-22 15:32
Modified
2024-11-22 16:51
Severity ?
EPSS score ?
Summary
A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions.
We have already fixed the vulnerability in the following version:
Notes Station 3 3.9.7 and later
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | QNAP Systems Inc. | Notes Station 3 |
Version: 3.9.x < 3.9.7 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:qnap:notes_station_3:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "notes_station_3", "vendor": "qnap", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-38643", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-11-22T16:51:30.394851Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-22T16:51:35.154Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.x", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Thomas Fady" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions.\n\nWe have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "impacts": [ { "capecId": "CAPEC-115", "descriptions": [ { "lang": "en", "value": "CAPEC-115" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-306", "description": "CWE-306", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-22T15:32:38.356Z", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap" }, "references": [ { "url": "https://www.qnap.com/en/security-advisory/qsa-24-36" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "We have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "source": { "advisory": "QSA-24-36", "discovery": "EXTERNAL" }, "title": "Notes Station 3", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2024-38643", "datePublished": "2024-11-22T15:32:38.356Z", "dateReserved": "2024-06-19T00:17:01.279Z", "dateUpdated": "2024-11-22T16:51:35.154Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-38646
Vulnerability from cvelistv5
Published
2024-11-22 15:32
Modified
2024-11-22 16:49
Severity ?
EPSS score ?
Summary
An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource.
We have already fixed the vulnerability in the following version:
Notes Station 3 3.9.7 and later
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | QNAP Systems Inc. | Notes Station 3 |
Version: 3.9.x < 3.9.7 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:qnap:notes_station_3:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "notes_station_3", "vendor": "qnap", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-38646", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-11-22T16:49:46.668180Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-22T16:49:50.421Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.x", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Thomas Fady" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource.\n\nWe have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "impacts": [ { "capecId": "CAPEC-122", "descriptions": [ { "lang": "en", "value": "CAPEC-122" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-732", "description": "CWE-732", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-22T15:32:20.386Z", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap" }, "references": [ { "url": "https://www.qnap.com/en/security-advisory/qsa-24-36" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "We have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "source": { "advisory": "QSA-24-36", "discovery": "EXTERNAL" }, "title": "Notes Station 3", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2024-38646", "datePublished": "2024-11-22T15:32:20.386Z", "dateReserved": "2024-06-19T00:17:01.280Z", "dateUpdated": "2024-11-22T16:49:50.421Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-38644
Vulnerability from cvelistv5
Published
2024-11-22 15:32
Modified
2024-11-22 16:50
Severity ?
EPSS score ?
Summary
An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands.
We have already fixed the vulnerability in the following version:
Notes Station 3 3.9.7 and later
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | QNAP Systems Inc. | Notes Station 3 |
Version: 3.9.x < 3.9.7 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:qnap:notes_station_3:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "notes_station_3", "vendor": "qnap", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-38644", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-11-22T16:50:46.024700Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-22T16:50:56.156Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.x", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Thomas Fady" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands.\n\nWe have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "impacts": [ { "capecId": "CAPEC-88", "descriptions": [ { "lang": "en", "value": "CAPEC-88" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-77", "description": "CWE-77", "lang": "en", "type": "CWE" }, { "cweId": "CWE-78", "description": "CWE-78", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-22T15:32:31.923Z", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap" }, "references": [ { "url": "https://www.qnap.com/en/security-advisory/qsa-24-36" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "We have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "source": { "advisory": "QSA-24-36", "discovery": "EXTERNAL" }, "title": "Notes Station 3", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2024-38644", "datePublished": "2024-11-22T15:32:31.923Z", "dateReserved": "2024-06-19T00:17:01.279Z", "dateUpdated": "2024-11-22T16:50:56.156Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-38645
Vulnerability from cvelistv5
Published
2024-11-22 15:32
Modified
2024-11-22 16:52
Severity ?
EPSS score ?
Summary
A server-side request forgery (SSRF) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to read application data.
We have already fixed the vulnerability in the following version:
Notes Station 3 3.9.7 and later
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | QNAP Systems Inc. | Notes Station 3 |
Version: 3.9.x < 3.9.7 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:qnap:notes_station_3:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "notes_station_3", "vendor": "qnap", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-38645", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-11-22T16:51:57.890903Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-22T16:52:01.922Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [ { "lessThan": "3.9.7", "status": "affected", "version": "3.9.x", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Thomas Fady" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A server-side request forgery (SSRF) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to read application data.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "A server-side request forgery (SSRF) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to read application data.\n\nWe have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "impacts": [ { "capecId": "CAPEC-664", "descriptions": [ { "lang": "en", "value": "CAPEC-664" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-22T15:32:26.439Z", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap" }, "references": [ { "url": "https://www.qnap.com/en/security-advisory/qsa-24-36" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eNotes Station 3 3.9.7 and later\u003cbr\u003e" } ], "value": "We have already fixed the vulnerability in the following version:\nNotes Station 3 3.9.7 and later" } ], "source": { "advisory": "QSA-24-36", "discovery": "EXTERNAL" }, "title": "Notes Station 3", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2024-38645", "datePublished": "2024-11-22T15:32:26.439Z", "dateReserved": "2024-06-19T00:17:01.280Z", "dateUpdated": "2024-11-22T16:52:01.922Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }