Refine your search
87 vulnerabilities found for qts by qnap
CVE-2025-62849 (GCVE-0-2025-62849)
Vulnerability from nvd
Published
2025-12-16 02:24
Modified
2025-12-17 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T04:55:48.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2025 - DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:24:58.273Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-62849",
"datePublished": "2025-12-16T02:24:58.273Z",
"dateReserved": "2025-10-24T02:43:49.268Z",
"dateUpdated": "2025-12-17T04:55:48.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62848 (GCVE-0-2025-62848)
Vulnerability from nvd
Published
2025-12-16 02:25
Modified
2025-12-16 21:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T21:24:45.780330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T21:24:54.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2025 - DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:25:04.815Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-62848",
"datePublished": "2025-12-16T02:25:04.815Z",
"dateReserved": "2025-10-24T02:43:45.373Z",
"dateUpdated": "2025-12-16T21:24:54.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62847 (GCVE-0-2025-62847)
Vulnerability from nvd
Published
2025-12-16 02:25
Modified
2025-12-16 21:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T21:25:16.928426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T21:25:23.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2025 - DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:25:11.210Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-62847",
"datePublished": "2025-12-16T02:25:11.210Z",
"dateReserved": "2025-10-24T02:43:45.373Z",
"dateUpdated": "2025-12-16T21:25:23.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59385 (GCVE-0-2025-59385)
Vulnerability from nvd
Published
2025-12-16 02:25
Modified
2025-12-17 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T04:55:46.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Le Mau Anh Phong at Verichains Cyber Force"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:25:16.661Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-59385",
"datePublished": "2025-12-16T02:25:16.661Z",
"dateReserved": "2025-09-15T08:35:00.660Z",
"dateUpdated": "2025-12-17T04:55:46.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-53696 (GCVE-0-2024-53696)
Vulnerability from nvd
Published
2025-03-07 16:13
Modified
2025-03-07 17:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data.
We have already fixed the vulnerability in the following versions:
QuLog Center 1.7.0.829 ( 2024/10/01 ) and later
QuLog Center 1.8.0.888 ( 2024/10/15 ) and later
QTS 4.5.4.2957 build 20241119 and later
QuTS hero h4.5.4.2956 build 20241119 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuLog Center |
Version: 1.7.x.x < 1.7.0.829 ( 2024/10/01 ) Version: 1.8.x.x < 1.8.0.888 ( 2024/10/15 ) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T17:54:00.666580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T17:54:11.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QuLog Center",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "1.7.0.829 ( 2024/10/01 )",
"status": "affected",
"version": "1.7.x.x",
"versionType": "custom"
},
{
"lessThan": "1.8.0.888 ( 2024/10/15 )",
"status": "affected",
"version": "1.8.x.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.2957 build 20241119",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.2956 build 20241119",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aymen BORGI and Ibrahim AYADHI from RandoriSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQuLog Center 1.7.0.829 ( 2024/10/01 ) and later\u003cbr\u003eQuLog Center 1.8.0.888 ( 2024/10/15 ) and later\u003cbr\u003eQTS 4.5.4.2957 build 20241119 and later\u003cbr\u003eQuTS hero h4.5.4.2956 build 20241119 and later\u003cbr\u003e"
}
],
"value": "A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data.\n\nWe have already fixed the vulnerability in the following versions:\nQuLog Center 1.7.0.829 ( 2024/10/01 ) and later\nQuLog Center 1.8.0.888 ( 2024/10/15 ) and later\nQTS 4.5.4.2957 build 20241119 and later\nQuTS hero h4.5.4.2956 build 20241119 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T16:13:55.595Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-53"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQuLog Center 1.7.0.829 ( 2024/10/01 ) and later\u003cbr\u003eQuLog Center 1.8.0.888 ( 2024/10/15 ) and later\u003cbr\u003eQTS 4.5.4.2957 build 20241119 and later\u003cbr\u003eQuTS hero h4.5.4.2956 build 20241119 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQuLog Center 1.7.0.829 ( 2024/10/01 ) and later\nQuLog Center 1.8.0.888 ( 2024/10/15 ) and later\nQTS 4.5.4.2957 build 20241119 and later\nQuTS hero h4.5.4.2956 build 20241119 and later"
}
],
"source": {
"advisory": "QSA-24-53",
"discovery": "EXTERNAL"
},
"title": "QuLog Center",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-53696",
"datePublished": "2025-03-07T16:13:55.595Z",
"dateReserved": "2024-11-22T06:21:49.206Z",
"dateUpdated": "2025-03-07T17:54:11.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27600 (GCVE-0-2022-27600)
Vulnerability from nvd
Published
2024-12-19 01:39
Modified
2024-12-20 17:41
Severity ?
VLAI Severity ?
EPSS score ?
Summary
An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2277 and later
QTS 4.5.4.2280 build 20230112 and later
QuTS hero h5.0.1.2277 build 20230112 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.0.x < 5.0.1.2277 Version: 4.5.x < 4.5.4.2280 build 20230112 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27600",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T16:45:14.667432Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T17:41:53.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2277",
"status": "affected",
"version": "5.0.x",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2280 build 20230112",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2277 build 20230112",
"status": "affected",
"version": "h5.0.x",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2374 build 20230417",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.2374",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "huasheng_mangguo"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to launch a denial-of-service (DoS) attack.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.0.1.2277 and later\u003cbr\u003eQTS 4.5.4.2280 build 20230112 and later\u003cbr\u003eQuTS hero h5.0.1.2277 build 20230112 and later\u003cbr\u003eQuTS hero h4.5.4.2374 build 20230417 and later\u003cbr\u003eQuTScloud c5.0.1.2374 and later\u003cbr\u003e"
}
],
"value": "An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2277 and later\nQTS 4.5.4.2280 build 20230112 and later\nQuTS hero h5.0.1.2277 build 20230112 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212"
}
]
},
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554"
}
]
},
{
"capecId": "CAPEC-191",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-191"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-798",
"description": "CWE-798",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T01:39:38.167Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-09"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.0.1.2277 and later\u003cbr\u003eQTS 4.5.4.2280 build 20230112 and later\u003cbr\u003eQuTS hero h5.0.1.2277 build 20230112 and later\u003cbr\u003eQuTS hero h4.5.4.2374 build 20230417 and later\u003cbr\u003eQuTScloud c5.0.1.2374 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2277 and later\nQTS 4.5.4.2280 build 20230112 and later\nQuTS hero h5.0.1.2277 build 20230112 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later"
}
],
"source": {
"advisory": "QSA-23-09",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27600",
"datePublished": "2024-12-19T01:39:38.167Z",
"dateReserved": "2022-03-21T22:02:33.327Z",
"dateUpdated": "2024-12-20T17:41:53.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32765 (GCVE-0-2024-32765)
Vulnerability from nvd
Published
2024-08-09 17:09
Modified
2024-08-09 18:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow local authenticated administrators to gain access to and execute certain functions via unspecified vectors.
We have already fixed the vulnerability in the following versions:
QTS 5.1.8.2823 build 20240712 and later
QuTS hero h5.1.8.2823 build 20240712 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.8.2823 build 20240712 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T18:19:29.934392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T18:20:43.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.8.2823 build 20240712",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.8.2823 build 20240712",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZDI-CAN-22458 - Team ECQ"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability has been reported to affect Network \u0026amp; Virtual Switch. If exploited, the vulnerability could allow local authenticated administrators to gain access to and execute certain functions via unspecified vectors.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
}
],
"value": "A vulnerability has been reported to affect Network \u0026 Virtual Switch. If exploited, the vulnerability could allow local authenticated administrators to gain access to and execute certain functions via unspecified vectors.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-22",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-22"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-291",
"description": "CWE-291",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-306",
"description": "CWE-306",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T17:09:46.468Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-14"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.8.2823 build 20240712 and later\u003cbr\u003eQuTS hero h5.1.8.2823 build 20240712 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.8.2823 build 20240712 and later\nQuTS hero h5.1.8.2823 build 20240712 and later"
}
],
"source": {
"advisory": "QSA-24-14",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-32765",
"datePublished": "2024-08-09T17:09:46.468Z",
"dateReserved": "2024-04-18T08:14:16.553Z",
"dateUpdated": "2024-08-09T18:20:43.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32766 (GCVE-0-2024-32766)
Vulnerability from nvd
Published
2024-04-26 15:00
Modified
2024-08-02 02:20
Severity ?
VLAI Severity ?
EPSS score ?
Summary
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.3.2578 build 20231110 Version: 4.5.x < 4.5.4.2627 build 20231225 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:qnap:qts:5.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110 ",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110 ",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qutscloud",
"vendor": "qnap",
"versions": [
{
"lessThan": "c5.1.5.2651 ",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:qnap:qts:4.5.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:h4.5.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h4.5.4.2626 build 20231225 ",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T15:26:16.123877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:14.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2626 build 20231225",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZDI-CAN-22495: Team Orca"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T15:00:43.258Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"source": {
"advisory": "QSA-24-09",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-32766",
"datePublished": "2024-04-26T15:00:43.258Z",
"dateReserved": "2024-04-18T08:14:16.553Z",
"dateUpdated": "2024-08-02T02:20:35.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27124 (GCVE-0-2024-27124)
Vulnerability from nvd
Published
2024-04-26 15:00
Modified
2024-08-02 00:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.3.2578 build 20231110 Version: 4.5.x < 4.5.4.2627 build 20231225 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:qnap:qts:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:qts:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:a:qnap:quts_hero:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:a:qnap:quts_hero:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qutscloud",
"vendor": "qnap",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T12:02:41.587380Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:16.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:59.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2626 build 20231225",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZDI-CAN-22378: Team Viettel"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T15:00:55.893Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"source": {
"advisory": "QSA-24-09",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-27124",
"datePublished": "2024-04-26T15:00:55.893Z",
"dateReserved": "2024-02-20T09:36:58.211Z",
"dateUpdated": "2024-08-02T00:27:59.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21905 (GCVE-0-2024-21905)
Vulnerability from nvd
Published
2024-04-26 15:01
Modified
2024-08-12 19:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.3.2578 build 20231110 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:qnap:qts:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21905",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-30T14:20:50.434461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:31:28.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-92",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-92"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T15:01:00.169Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-16"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"source": {
"advisory": "QSA-24-16",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-21905",
"datePublished": "2024-04-26T15:01:00.169Z",
"dateReserved": "2024-01-03T02:31:17.844Z",
"dateUpdated": "2024-08-12T19:31:28.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51365 (GCVE-0-2023-51365)
Vulnerability from nvd
Published
2024-04-26 15:01
Modified
2024-08-02 22:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.4.2596 build 20231128 Version: 4.5.x < 4.5.4.2627 build 20231225 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:qnap:qts:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "4.5.4.2627 build 20231225 ",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h4.5.4.2626 build 20231225 ",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:qnap:qts:5.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "5.1.4.2596 build 20231128",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:qnap:quts_hero:h5.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110 ",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T17:33:26.382851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:25.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:09.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.4.2596 build 20231128",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2626 build 20231225",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "unaffected",
"version": "c5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "chumen77 "
},
{
"lang": "en",
"type": "finder",
"value": "ZDI-CAN-22407 - Team Thales\u200b"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.4.2596 build 20231128 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T15:01:04.335Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-14"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.4.2596 build 20231128 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"source": {
"advisory": "QSA-24-14",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-51365",
"datePublished": "2024-04-26T15:01:04.335Z",
"dateReserved": "2023-12-18T14:21:13.239Z",
"dateUpdated": "2024-08-02T22:32:09.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51364 (GCVE-0-2023-51364)
Vulnerability from nvd
Published
2024-04-26 15:01
Modified
2024-08-02 22:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.4.2596 build 20231128 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.4.2596 build 20231128 Version: 4.5.x < 4.5.4.2627 build 20231225 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T15:42:40.424471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:35.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:32:09.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.4.2596 build 20231128",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2626 build 20231225",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "chumen77 "
},
{
"lang": "en",
"type": "finder",
"value": "ZDI-CAN-22410 - Team STARLabs\u200b"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.4.2596 build 20231128 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-26T15:01:08.345Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-14"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.4.2596 build 20231128 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.4.2596 build 20231128 and later\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"source": {
"advisory": "QSA-24-14",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-51364",
"datePublished": "2024-04-26T15:01:08.345Z",
"dateReserved": "2023-12-18T14:21:13.239Z",
"dateUpdated": "2024-08-02T22:32:09.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34980 (GCVE-0-2023-34980)
Vulnerability from nvd
Published
2024-03-08 16:16
Modified
2024-09-06 17:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h4.5.4.2626 build 20231225 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 4.5.x < 4.5.4.2627 build 20231225 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:17:04.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-12"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "4.5.4.2627_build 20231225",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h4.5.4.2626_build 20231225",
"status": "affected",
"version": "h4.5",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T18:15:12.889402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T17:42:06.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.2626 build 20231225",
"status": "affected",
"version": "h4.5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tyaoo\u30010x14"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-08T16:16:00.564Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-12"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 4.5.4.2627 build 20231225 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\n"
}
],
"source": {
"advisory": "QSA-24-12",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-34980",
"datePublished": "2024-03-08T16:16:00.564Z",
"dateReserved": "2023-06-08T08:26:04.295Z",
"dateUpdated": "2024-09-06T17:42:06.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32969 (GCVE-0-2023-32969)
Vulnerability from nvd
Published
2024-03-08 16:17
Modified
2024-08-02 15:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QuTScloud c5.1.5.2651 and later
QTS 5.1.4.2596 build 20231128 and later
QuTS hero h5.1.4.2596 build 20231128 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Version: c5.x.x < c5.1.5.2651 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-11T17:21:27.707772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:10.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:32:46.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.4.2596 build 20231128",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.4.2596 build 20231128",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Network \u0026amp; Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003eQTS 5.1.4.2596 build 20231128 and later\u003cbr\u003eQuTS hero h5.1.4.2596 build 20231128 and later\u003cbr\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Network \u0026 Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQuTScloud c5.1.5.2651 and later\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-08T16:17:19.645Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-11"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003eQTS 5.1.4.2596 build 20231128 and later\u003cbr\u003eQuTS hero h5.1.4.2596 build 20231128 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQuTScloud c5.1.5.2651 and later\nQTS 5.1.4.2596 build 20231128 and later\nQuTS hero h5.1.4.2596 build 20231128 and later\n"
}
],
"source": {
"advisory": "QSA-24-11",
"discovery": "EXTERNAL"
},
"title": "Network \u0026 Virtual Switch",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-32969",
"datePublished": "2024-03-08T16:17:19.645Z",
"dateReserved": "2023-05-16T10:44:49.055Z",
"dateUpdated": "2024-08-02T15:32:46.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50358 (GCVE-0-2023-50358)
Vulnerability from nvd
Published
2024-02-13 02:45
Modified
2025-05-09 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QTS 4.5.4.2627 build 20231225 and later
QTS 4.3.6.2665 build 20240131 and later
QTS 4.3.4.2675 build 20240131 and later
QTS 4.3.3.2644 build 20240131 and later
QTS 4.2.6 build 20240131 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.x < 5.1.5.2645 build 20240116 Version: 4.5.x, 4.4.x < 4.5.4.2627 build 20231225 Version: 4.3.6, 4.3.5 < 4.3.6.2665 build 20240131 Version: 4.3.4 < 4.3.4.2675 build 20240131 Version: 4.3.x < 4.3.3.2644 build 20240131 Version: 4.2.x < 4.2.6 build 20240131 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-57"
},
{
"tags": [
"x_transferred"
],
"url": "https://unit42.paloaltonetworks.com/qnap-qts-firmware-cve-2023-50358/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-213941-1032"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T19:07:56.548850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T18:16:31.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.5.2645 build 20240116",
"status": "affected",
"version": "5.x",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2627 build 20231225",
"status": "affected",
"version": "4.5.x, 4.4.x",
"versionType": "custom"
},
{
"lessThan": "4.3.6.2665 build 20240131",
"status": "affected",
"version": "4.3.6, 4.3.5",
"versionType": "custom"
},
{
"lessThan": "4.3.4.2675 build 20240131",
"status": "affected",
"version": "4.3.4",
"versionType": "custom"
},
{
"lessThan": "4.3.3.2644 build 20240131",
"status": "affected",
"version": "4.3.x",
"versionType": "custom"
},
{
"lessThan": "4.2.6 build 20240131",
"status": "affected",
"version": "4.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.5.2647 build 20240118",
"status": "affected",
"version": "h5.x",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2626 build 20231225",
"status": "affected",
"version": "h4.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Palo Alto Networks Unit 42"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.5.2645 build 20240116 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQTS 4.3.6.2665 build 20240131 and later\u003cbr\u003eQTS 4.3.4.2675 build 20240131 and later\u003cbr\u003eQTS 4.3.3.2644 build 20240131 and later\u003cbr\u003eQTS 4.2.6 build 20240131 and later\u003cbr\u003eQuTS hero h5.1.5.2647 build 20240118 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQTS 4.5.4.2627 build 20231225 and later\nQTS 4.3.6.2665 build 20240131 and later\nQTS 4.3.4.2675 build 20240131 and later\nQTS 4.3.3.2644 build 20240131 and later\nQTS 4.2.6 build 20240131 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T05:21:43.811Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-57"
},
{
"url": "https://unit42.paloaltonetworks.com/qnap-qts-firmware-cve-2023-50358/"
},
{
"url": "https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-213941-1032"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.5.2645 build 20240116 and later\u003cbr\u003eQTS 4.5.4.2627 build 20231225 and later\u003cbr\u003eQTS 4.3.6.2665 build 20240131 and later\u003cbr\u003eQTS 4.3.4.2675 build 20240131 and later\u003cbr\u003eQTS 4.3.3.2644 build 20240131 and later\u003cbr\u003eQTS 4.2.6 build 20240131 and later\u003cbr\u003eQuTS hero h5.1.5.2647 build 20240118 and later\u003cbr\u003eQuTS hero h4.5.4.2626 build 20231225 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQTS 4.5.4.2627 build 20231225 and later\nQTS 4.3.6.2665 build 20240131 and later\nQTS 4.3.4.2675 build 20240131 and later\nQTS 4.3.3.2644 build 20240131 and later\nQTS 4.2.6 build 20240131 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTS hero h4.5.4.2626 build 20231225 and later\nQuTScloud c5.1.5.2651 and later"
}
],
"source": {
"advisory": "QSA-23-57",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-50358",
"datePublished": "2024-02-13T02:45:22.351Z",
"dateReserved": "2023-12-07T08:52:25.583Z",
"dateUpdated": "2025-05-09T18:16:31.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47218 (GCVE-0-2023-47218)
Vulnerability from nvd
Published
2024-02-13 02:44
Modified
2025-05-07 21:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.5.2645 build 20240116 and later
QuTS hero h5.1.5.2647 build 20240118 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.5.2645 build 20240116 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-57"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47218",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-13T16:50:57.106168Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T21:13:18.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.5.2645 build 20240116",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.x"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.5.2647 build 20240118",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "h4.x"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Stephen Fewer, Principal Security Researcher at Rapid7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.5.2645 build 20240116 and later\u003cbr\u003eQuTS hero h5.1.5.2647 build 20240118 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-15T05:22:35.083Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-57"
},
{
"url": "https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.5.2645 build 20240116 and later\u003cbr\u003eQuTS hero h5.1.5.2647 build 20240118 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.5.2645 build 20240116 and later\nQuTS hero h5.1.5.2647 build 20240118 and later\nQuTScloud c5.1.5.2651 and later"
}
],
"source": {
"advisory": "QSA-23-57",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-47218",
"datePublished": "2024-02-13T02:44:14.677Z",
"dateReserved": "2023-11-03T09:47:36.053Z",
"dateUpdated": "2025-05-07T21:13:18.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59385 (GCVE-0-2025-59385)
Vulnerability from cvelistv5
Published
2025-12-16 02:25
Modified
2025-12-17 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T04:55:46.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Le Mau Anh Phong at Verichains Cyber Force"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:25:16.661Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-59385",
"datePublished": "2025-12-16T02:25:16.661Z",
"dateReserved": "2025-09-15T08:35:00.660Z",
"dateUpdated": "2025-12-17T04:55:46.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62847 (GCVE-0-2025-62847)
Vulnerability from cvelistv5
Published
2025-12-16 02:25
Modified
2025-12-16 21:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T21:25:16.928426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T21:25:23.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2025 - DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:25:11.210Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-62847",
"datePublished": "2025-12-16T02:25:11.210Z",
"dateReserved": "2025-10-24T02:43:45.373Z",
"dateUpdated": "2025-12-16T21:25:23.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62848 (GCVE-0-2025-62848)
Vulnerability from cvelistv5
Published
2025-12-16 02:25
Modified
2025-12-16 21:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T21:24:45.780330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T21:24:54.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2025 - DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:25:04.815Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-62848",
"datePublished": "2025-12-16T02:25:04.815Z",
"dateReserved": "2025-10-24T02:43:45.373Z",
"dateUpdated": "2025-12-16T21:24:54.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62849 (GCVE-0-2025-62849)
Vulnerability from cvelistv5
Published
2025-12-16 02:24
Modified
2025-12-17 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following versions:
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.1.3292 build 20251024 and later
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.2.x < 5.2.7.3297 build 20251024 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T04:55:48.298Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.2.7.3297 build 20251024",
"status": "affected",
"version": "5.2.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.2.7.3297 build 20251024",
"status": "affected",
"version": "h5.2.x",
"versionType": "custom"
},
{
"lessThan": "h5.3.1.3292 build 20251024",
"status": "affected",
"version": "h5.3.x",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:qts:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7.3297_build_20251024",
"versionStartIncluding": "5.2.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.2.7.3297_build_20251024",
"versionStartIncluding": "h5.2.x",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap_systems_inc.:quts_hero:*:*:*:*:*:*:*:*",
"versionEndExcluding": "h5.3.1.3292_build_20251024",
"versionStartIncluding": "h5.3.x",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pwn2Own 2025 - DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T02:24:58.273Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-45"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.2.7.3297 build 20251024 and later\u003cbr\u003eQuTS hero h5.3.1.3292 build 20251024 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"
}
],
"source": {
"advisory": "QSA-25-45",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-62849",
"datePublished": "2025-12-16T02:24:58.273Z",
"dateReserved": "2025-10-24T02:43:49.268Z",
"dateUpdated": "2025-12-17T04:55:48.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-21900 (GCVE-0-2024-21900)
Vulnerability from cvelistv5
Published
2024-03-08 16:17
Modified
2025-12-16 18:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTScloud c5.1.5.2651 and later
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Version: 5.1.x < 5.1.3.2578 build 20231110 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:qnap:qts:5.1.x:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qts",
"vendor": "qnap",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:quts_hero:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "quts_hero",
"vendor": "qnap",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qutscloud",
"vendor": "qnap",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T04:00:37.139688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T18:13:18.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.3.2578 build 20231110",
"status": "affected",
"version": "5.1.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.1.3.2578 build 20231110",
"status": "affected",
"version": "h5.1.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.1.5.2651",
"status": "affected",
"version": "c5.x.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "ZDI-CAN-22493/22494 : DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-64",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-64"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-08T16:17:29.628Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-09"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTS hero h5.1.3.2578 build 20231110 and later\u003cbr\u003eQuTScloud c5.1.5.2651 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.1.3.2578 build 20231110 and later\nQuTS hero h5.1.3.2578 build 20231110 and later\nQuTScloud c5.1.5.2651 and later\n"
}
],
"source": {
"advisory": "QSA-24-09",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-21900",
"datePublished": "2024-03-08T16:17:29.628Z",
"dateReserved": "2024-01-03T02:31:17.843Z",
"dateUpdated": "2025-12-16T18:13:18.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2025-AVI-0981
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une élévation de privilèges, un déni de service à distance et une injection SQL (SQLi).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | N/A | QuMagie versions 2.6.x et 2.7.x antérieures à 2.7.3 | ||
| Qnap | Hybrid Backup Sync | HBS 3 Hybrid Backup Sync versions 26.x antérieures à 26.2.0.938 | ||
| Qnap | N/A | Notification Center versions 1.9.x pour QTS 5.2.x et QuTS hero h5.2.x antérieures à 1.9.2.3163 | ||
| Qnap | N/A | Hyper Data Protector versions 2.2.x antérieures à 2.2.4.1 | ||
| Qnap | N/A | Notification Center versions 3.0.x pour QuTS hero h5.6.x et QuTS hero h6.0.x antérieures à 3.0.0.3466 | ||
| Qnap | N/A | Malware Remover versions 6.6.x antérieures à 6.6.8.20251023 | ||
| Qnap | N/A | Download Station versions 5.10.x pour QTS 5.2.1 antérieures à 5.10.0.305 ( 2025/09/16 ) | ||
| Qnap | QuTS hero | QuTS hero versions h5.3.x antérieures à h5.3.1.3292 build 20251024 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x antérieures à 1.8.2.923 ( 2025/08/27 ) | ||
| Qnap | N/A | Download Station versions 5.10.x pour QuTS hero h5.2.1 antérieures à 5.10.0.304 ( 2025/09/08 ) | ||
| Qnap | QTS | QTS versions 5.2.x antérieures à QTS 5.2.7.3297 build 20251024 | ||
| Qnap | QuTS hero | QuTS hero versions h5.2.x antérieures à h5.2.7.3297 build 20251024 | ||
| Qnap | File Station | File Station 5 versions 5.5.x antérieures à 5.5.6.5018 | ||
| Qnap | N/A | Qsync Central versions 5.0.x antérieures à 5.0.0.3 ( 2025/08/28 ) | ||
| Qnap | N/A | Notification Center versions 2.1.x pour QuTS hero h5.3.x antérieures à 2.1.0.3443 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuMagie versions 2.6.x et 2.7.x ant\u00e9rieures \u00e0 2.7.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "HBS 3 Hybrid Backup Sync versions 26.x ant\u00e9rieures \u00e0 26.2.0.938",
"product": {
"name": "Hybrid Backup Sync",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notification Center versions 1.9.x pour QTS 5.2.x et QuTS hero h5.2.x ant\u00e9rieures \u00e0 1.9.2.3163",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Hyper Data Protector versions 2.2.x ant\u00e9rieures \u00e0 2.2.4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notification Center versions 3.0.x pour QuTS hero h5.6.x et QuTS hero h6.0.x ant\u00e9rieures \u00e0 3.0.0.3466",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Malware Remover versions 6.6.x ant\u00e9rieures \u00e0 6.6.8.20251023",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Download Station versions 5.10.x pour QTS 5.2.1 ant\u00e9rieures \u00e0 5.10.0.305 ( 2025/09/16 )",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.3.x ant\u00e9rieures \u00e0 h5.3.1.3292 build 20251024",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x ant\u00e9rieures \u00e0 1.8.2.923 ( 2025/08/27 )",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Download Station versions 5.10.x pour QuTS hero h5.2.1 ant\u00e9rieures \u00e0 5.10.0.304 ( 2025/09/08 )",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 QTS 5.2.7.3297 build 20251024",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.7.3297 build 20251024",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "File Station 5 versions 5.5.x ant\u00e9rieures \u00e0 5.5.6.5018",
"product": {
"name": "File Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qsync Central versions 5.0.x ant\u00e9rieures \u00e0 5.0.0.3 ( 2025/08/28 )",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notification Center versions 2.1.x pour QuTS hero h5.3.x ant\u00e9rieures \u00e0 2.1.0.3443",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-57712",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57712"
},
{
"name": "CVE-2025-47207",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47207"
},
{
"name": "CVE-2025-53413",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53413"
},
{
"name": "CVE-2025-53411",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53411"
},
{
"name": "CVE-2025-58469",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58469"
},
{
"name": "CVE-2025-62849",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62849"
},
{
"name": "CVE-2025-54167",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54167"
},
{
"name": "CVE-2025-62842",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62842"
},
{
"name": "CVE-2025-59389",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59389"
},
{
"name": "CVE-2025-57706",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57706"
},
{
"name": "CVE-2025-58463",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58463"
},
{
"name": "CVE-2025-53409",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53409"
},
{
"name": "CVE-2025-53408",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53408"
},
{
"name": "CVE-2025-53412",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53412"
},
{
"name": "CVE-2025-58465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58465"
},
{
"name": "CVE-2025-54168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54168"
},
{
"name": "CVE-2025-52865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52865"
},
{
"name": "CVE-2025-53410",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53410"
},
{
"name": "CVE-2025-52425",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52425"
},
{
"name": "CVE-2025-58464",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58464"
},
{
"name": "CVE-2025-62847",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62847"
},
{
"name": "CVE-2025-11837",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11837"
},
{
"name": "CVE-2025-62848",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62848"
},
{
"name": "CVE-2025-62840",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62840"
}
],
"initial_release_date": "2025-11-10T00:00:00",
"last_revision_date": "2025-11-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0981",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges, un d\u00e9ni de service \u00e0 distance et une injection SQL (SQLi).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-37",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-37"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-45",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-45"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-48",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-48"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-40",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-40"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-43",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-43"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-38",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-38"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-41",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-41"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-47",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-47"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-33",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-33"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-42",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-42"
},
{
"published_at": "2025-11-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-46",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-46"
}
]
}
CERTFR-2025-AVI-0486
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QTS | QTS versions 5.2.x antérieures à 5.2.4.3079 build 20250321 | ||
| Qnap | QuRouter | QuRouter versions 2.4.x et 2.5.x antérieures à 2.5.0.140 | ||
| Qnap | QuTS hero | QuTS hero versions h5.2.x antérieures à h5.2.4.3079 build 20250321 | ||
| Qnap | License Center | License Center versions 1.9.x antérieures à 1.9.49 | ||
| Qnap | File Station | File Station 5 versions 5.5.x antérieures à 5.5.6.4847 | ||
| Qnap | Qsync | Qsync Central versions 4.5.x antérieures à 4.5.0.6 | ||
| Qnap | QES | QES versions 2.2.x antérieures à 2.2.1 build 20250304 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.4.3079 build 20250321",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuRouter versions 2.4.x et 2.5.x ant\u00e9rieures \u00e0 2.5.0.140",
"product": {
"name": "QuRouter",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.4.3079 build 20250321",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "License Center versions 1.9.x ant\u00e9rieures \u00e0 1.9.49",
"product": {
"name": "License Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "File Station 5 versions 5.5.x ant\u00e9rieures \u00e0 5.5.6.4847",
"product": {
"name": "File Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qsync Central versions 4.5.x ant\u00e9rieures \u00e0 4.5.0.6",
"product": {
"name": "Qsync",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QES versions 2.2.x ant\u00e9rieures \u00e0 2.2.1 build 20250304",
"product": {
"name": "QES",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-26465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26465"
},
{
"name": "CVE-2025-33031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33031"
},
{
"name": "CVE-2024-56805",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56805"
},
{
"name": "CVE-2024-50406",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50406"
},
{
"name": "CVE-2025-22482",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22482"
},
{
"name": "CVE-2025-26466",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26466"
},
{
"name": "CVE-2025-29872",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29872"
},
{
"name": "CVE-2025-29892",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29892"
},
{
"name": "CVE-2025-22490",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22490"
},
{
"name": "CVE-2025-29873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29873"
},
{
"name": "CVE-2025-29884",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29884"
},
{
"name": "CVE-2025-33035",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33035"
},
{
"name": "CVE-2025-29876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29876"
},
{
"name": "CVE-2025-22485",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22485"
},
{
"name": "CVE-2024-13087",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13087"
},
{
"name": "CVE-2025-22484",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22484"
},
{
"name": "CVE-2023-28370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28370"
},
{
"name": "CVE-2025-29877",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29877"
},
{
"name": "CVE-2025-29883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29883"
},
{
"name": "CVE-2025-30279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30279"
},
{
"name": "CVE-2025-22486",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22486"
},
{
"name": "CVE-2025-29871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29871"
},
{
"name": "CVE-2024-6387",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6387"
},
{
"name": "CVE-2025-22481",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22481"
},
{
"name": "CVE-2024-13088",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13088"
},
{
"name": "CVE-2025-29885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29885"
}
],
"initial_release_date": "2025-06-10T00:00:00",
"last_revision_date": "2025-06-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0486",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-06-10T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-17",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-17"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-11",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-11"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-14",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-14"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-10",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-10"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-09",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-09"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-15",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-15"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-13",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-13"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-16",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-16"
},
{
"published_at": "2025-06-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-12",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-12"
}
]
}
CERTFR-2025-AVI-0188
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | HBS 3 Hybrid Backup Sync | HBS 3 Hybrid Backup Sync versions 25.1.x antérieures à 25.1.4.952 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.1.9.2954 build 20241120 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x antérieures à 1.8.0.888 | ||
| Qnap | File Station | File Station versions 5.5.x antérieures à 5.5.6.4741 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.1.9.2954 build 20241120 | ||
| Qnap | Helpdesk | Helpdesk versions 3.3.x antérieurs à 3.3.3 | ||
| Qnap | QuRouter | QuRouter versions 2.4.x antérieures à 2.4.6.028 | ||
| Qnap | QVPN | QVPN Device Client versions 2.2.x antérieures à 2.2.5 pour Mac | ||
| Qnap | QTS | QTS versions 5.2.x antérieures à 5.2.3.3006 build 20250108 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2957 build 20241119 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2956 build 20241119 | ||
| Qnap | QuLog Center | QuLog Center versions 1.7.x antérieures à 1.7.0.829 | ||
| Qnap | Qsync | Qsync Client versions 5.1.x antérieures à 5.1.3 pour Mac | ||
| Qnap | QuTS hero | QuTS hero versions h5.2.x antérieures à h5.2.3.3006 build 20250108 | ||
| Qnap | Qfinder | Qfinder Pro Mac versions 7.11.x antérieures à 7.11.1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "HBS 3 Hybrid Backup Sync versions 25.1.x ant\u00e9rieures \u00e0 25.1.4.952",
"product": {
"name": "HBS 3 Hybrid Backup Sync",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.9.2954 build 20241120",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x ant\u00e9rieures \u00e0 1.8.0.888",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "File Station versions 5.5.x ant\u00e9rieures \u00e0 5.5.6.4741",
"product": {
"name": "File Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.9.2954 build 20241120",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Helpdesk versions 3.3.x ant\u00e9rieurs \u00e0 3.3.3",
"product": {
"name": "Helpdesk",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuRouter versions 2.4.x ant\u00e9rieures \u00e0 2.4.6.028",
"product": {
"name": "QuRouter",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVPN Device Client versions 2.2.x ant\u00e9rieures \u00e0 2.2.5 pour Mac",
"product": {
"name": "QVPN",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.3.3006 build 20250108",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2957 build 20241119",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2956 build 20241119",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.7.x ant\u00e9rieures \u00e0 1.7.0.829",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qsync Client versions 5.1.x ant\u00e9rieures \u00e0 5.1.3 pour Mac",
"product": {
"name": "Qsync",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.3.3006 build 20250108",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qfinder Pro Mac versions 7.11.x ant\u00e9rieures \u00e0 7.11.1",
"product": {
"name": "Qfinder",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-53695",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53695"
},
{
"name": "CVE-2024-50390",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50390"
},
{
"name": "CVE-2024-53700",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53700"
},
{
"name": "CVE-2024-53696",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53696"
},
{
"name": "CVE-2024-53698",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53698"
},
{
"name": "CVE-2024-53693",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53693"
},
{
"name": "CVE-2024-53694",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53694"
},
{
"name": "CVE-2024-53697",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53697"
},
{
"name": "CVE-2024-48864",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48864"
},
{
"name": "CVE-2024-50394",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50394"
},
{
"name": "CVE-2024-13086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13086"
},
{
"name": "CVE-2024-53699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53699"
},
{
"name": "CVE-2024-53692",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53692"
},
{
"name": "CVE-2024-50405",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50405"
},
{
"name": "CVE-2024-38638",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38638"
}
],
"initial_release_date": "2025-03-10T00:00:00",
"last_revision_date": "2025-03-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0188",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-03-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-03",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-03"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-55",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-55"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-52",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-52"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-06",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-06"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-53",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-53"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-07",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-07"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-05",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-05"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-01",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-01"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-54",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-54"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-51",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-51"
}
]
}
CERTFR-2024-AVI-1052
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QuTS hero | QuTS hero versions h5.2.x antérieures à h5.2.2.2952 build 20241116 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.1.9.2954 build 20241120 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.1.9.2954 build 20241120 | ||
| Qnap | License Center | License Center versions 1.9.x antérieures à 1.9.43 | ||
| Qnap | QTS | QTS versions 5.2.x antérieures à 5.2.2.2950 build 20241114 | ||
| Qnap | Qsync Central | Qsync Central versions 4.4.x antérieures à 4.4.0.16_20240819 ( 2024/08/19 ) |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.2.2952 build 20241116",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.9.2954 build 20241120",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.9.2954 build 20241120",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "License Center versions 1.9.x ant\u00e9rieures \u00e0 1.9.43",
"product": {
"name": "License Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.2.2950 build 20241114",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qsync Central versions 4.4.x ant\u00e9rieures \u00e0 4.4.0.16_20240819 ( 2024/08/19 )",
"product": {
"name": "Qsync Central",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-50404",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50404"
},
{
"name": "CVE-2024-50403",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50403"
},
{
"name": "CVE-2024-50402",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50402"
},
{
"name": "CVE-2024-48866",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48866"
},
{
"name": "CVE-2024-48867",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48867"
},
{
"name": "CVE-2024-48863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48863"
},
{
"name": "CVE-2024-48868",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48868"
},
{
"name": "CVE-2024-48859",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48859"
},
{
"name": "CVE-2024-50393",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50393"
},
{
"name": "CVE-2024-48865",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48865"
}
],
"initial_release_date": "2024-12-09T00:00:00",
"last_revision_date": "2024-12-09T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1052",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-12-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2024-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-50",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-50"
},
{
"published_at": "2024-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-48",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-48"
},
{
"published_at": "2024-12-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-49",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-49"
}
]
}
CERTFR-2024-AVI-1018
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | N/A | Photo Station versions 6.4.x antérieures à 6.4.3 | ||
| Qnap | QuRouter | QuRouter versions 2.4.x antérieures à 2.4.4.106 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x antérieures à 1.8.0.888 | ||
| Qnap | QuRouter | QuRouter versions 2.4.x antérieures à 2.4.3.103 | ||
| Qnap | QuTS hero | QuTS hero versions h5.2.x antérieures à h5.2.1.2929 build 20241025 | ||
| Qnap | N/A | Notes Station 3 versions 3.9.x antérieures à 3.9.7 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.1.8.2823 build 20240712 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.1.8.2823 build 20240712 | ||
| Qnap | N/A | Media Streaming add-on versions 500.1.x antérieures à 500.1.1.6 | ||
| Qnap | QTS | QTS versions 5.2.x antérieures à 5.2.1.2930 build 20241025 | ||
| Qnap | N/A | QNAP AI Core versions 3.4.x antérieures à 3.4.1 | ||
| Qnap | QuLog Center | QuLog Center versions 1.7.x antérieures à 1.7.0.831 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Photo Station versions 6.4.x ant\u00e9rieures \u00e0 6.4.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuRouter versions 2.4.x ant\u00e9rieures \u00e0 2.4.4.106",
"product": {
"name": "QuRouter",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x ant\u00e9rieures \u00e0 1.8.0.888",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuRouter versions 2.4.x ant\u00e9rieures \u00e0 2.4.3.103",
"product": {
"name": "QuRouter",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.1.2929 build 20241025",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notes Station 3 versions 3.9.x ant\u00e9rieures \u00e0 3.9.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.8.2823 build 20240712",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.8.2823 build 20240712",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Media Streaming add-on versions 500.1.x ant\u00e9rieures \u00e0 500.1.1.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.1.2930 build 20241025",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QNAP AI Core versions 3.4.x ant\u00e9rieures \u00e0 3.4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.7.x ant\u00e9rieures \u00e0 1.7.0.831 ",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-50397",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50397"
},
{
"name": "CVE-2024-37050",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37050"
},
{
"name": "CVE-2024-38643",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38643"
},
{
"name": "CVE-2024-50398",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50398"
},
{
"name": "CVE-2024-37042",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37042"
},
{
"name": "CVE-2024-32768",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32768"
},
{
"name": "CVE-2024-48860",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48860"
},
{
"name": "CVE-2024-50399",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50399"
},
{
"name": "CVE-2024-48861",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48861"
},
{
"name": "CVE-2024-48862",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48862"
},
{
"name": "CVE-2024-32770",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32770"
},
{
"name": "CVE-2024-37049",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37049"
},
{
"name": "CVE-2024-38644",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38644"
},
{
"name": "CVE-2024-37041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37041"
},
{
"name": "CVE-2024-37048",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37048"
},
{
"name": "CVE-2024-50396",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50396"
},
{
"name": "CVE-2024-32767",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32767"
},
{
"name": "CVE-2024-37045",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37045"
},
{
"name": "CVE-2024-38647",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38647"
},
{
"name": "CVE-2024-37046",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37046"
},
{
"name": "CVE-2024-37047",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37047"
},
{
"name": "CVE-2023-38408",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38408"
},
{
"name": "CVE-2024-32769",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32769"
},
{
"name": "CVE-2024-50400",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50400"
},
{
"name": "CVE-2020-14145",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14145"
},
{
"name": "CVE-2024-38645",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38645"
},
{
"name": "CVE-2024-50395",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50395"
},
{
"name": "CVE-2024-37043",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37043"
},
{
"name": "CVE-2021-41617",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41617"
},
{
"name": "CVE-2024-38646",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38646"
},
{
"name": "CVE-2024-37044",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37044"
},
{
"name": "CVE-2024-50401",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50401"
}
],
"initial_release_date": "2024-11-25T00:00:00",
"last_revision_date": "2024-11-25T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-1018",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-11-25T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-44",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-44"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-36",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-36"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-37",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-37"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-39",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-39"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-47",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-47"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-40",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-40"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-46",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-46"
},
{
"published_at": "2024-11-23",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-43",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-43"
}
]
}
CERTFR-2024-AVI-0752
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2790 build 20240606 | ||
| Qnap | QTS | QTS versions 4.3.4 antérieures à 4.3.4.2814 build 20240618 | ||
| Qnap | Download Station | Download Station versions 5.8.x antérieures à 5.8.6.283 | ||
| Qnap | QTS | QTS versions 4.3.3 antérieures à 4.3.3.2784 build 20240619 | ||
| Qnap | QuMagie | QuMagie versions 2.3.x antérieures à 2.3.1 | ||
| Qnap | QTS | QTS versions 4.2.6 antérieures à 4.2.6 build 20240618 | ||
| Qnap | QTS | QTS versions 4.3.6 antérieures à 4.3.6.2805 build 20240619 | ||
| Qnap | Helpdesk | Helpdesk versions 3.3.x antérieures à 3.3.1 | ||
| Qnap | Notes Station | Notes Station 3 versions 3.9.x antérieures à 3.9.6 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.2.0.2782 build 20240601 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2626 build 20231225 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.2.0.2782 build 20240601 | ||
| Qnap | Music Station | Music Station versions 5.4.x antérieures à 5.4.0 | ||
| Qnap | Video Station | Video Station versions 5.8.x antérieures à 5.8.2 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2790 build 20240605 | ||
| Qnap | QuLog Center | QuLog Center versions 1.7.x.x antérieures à 1.7.0.827 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x.x antérieures à 1.8.0.872 | ||
| Qnap | QVR | QVR Smart Client versions 2.4.x.x antérieures à 2.4.0.0570 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2790 build 20240606",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.4 ant\u00e9rieures \u00e0 4.3.4.2814 build 20240618",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Download Station versions 5.8.x ant\u00e9rieures \u00e0 5.8.6.283",
"product": {
"name": "Download Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.3 ant\u00e9rieures \u00e0 4.3.3.2784 build 20240619",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuMagie versions 2.3.x ant\u00e9rieures \u00e0 2.3.1",
"product": {
"name": "QuMagie",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.2.6 ant\u00e9rieures \u00e0 4.2.6 build 20240618",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.6 ant\u00e9rieures \u00e0 4.3.6.2805 build 20240619",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Helpdesk versions 3.3.x ant\u00e9rieures \u00e0 3.3.1",
"product": {
"name": "Helpdesk",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notes Station 3 versions 3.9.x ant\u00e9rieures \u00e0 3.9.6",
"product": {
"name": "Notes Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.2.0.2782 build 20240601",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2626 build 20231225",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.2.0.2782 build 20240601",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Music Station versions 5.4.x ant\u00e9rieures \u00e0 5.4.0",
"product": {
"name": "Music Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Video Station versions 5.8.x ant\u00e9rieures \u00e0 5.8.2",
"product": {
"name": "Video Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2790 build 20240605",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.7.x.x ant\u00e9rieures \u00e0 1.7.0.827",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x.x ant\u00e9rieures \u00e0 1.8.0.872",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Smart Client versions 2.4.x.x ant\u00e9rieures \u00e0 2.4.0.0570",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-27592",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27592"
},
{
"name": "CVE-2023-50360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50360"
},
{
"name": "CVE-2024-32762",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32762"
},
{
"name": "CVE-2024-21906",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21906"
},
{
"name": "CVE-2024-38640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38640"
},
{
"name": "CVE-2024-53691",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53691"
},
{
"name": "CVE-2023-34974",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34974"
},
{
"name": "CVE-2024-27125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27125"
},
{
"name": "CVE-2024-32763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32763"
},
{
"name": "CVE-2024-27126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27126"
},
{
"name": "CVE-2023-47563",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47563"
},
{
"name": "CVE-2024-38641",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38641"
},
{
"name": "CVE-2024-38642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38642"
},
{
"name": "CVE-2023-34979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34979"
},
{
"name": "CVE-2023-39298",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39298"
},
{
"name": "CVE-2023-39300",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39300"
},
{
"name": "CVE-2023-45038",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45038"
},
{
"name": "CVE-2024-32771",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32771"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
},
{
"name": "CVE-2024-27122",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27122"
}
],
"initial_release_date": "2024-09-09T00:00:00",
"last_revision_date": "2025-01-21T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0752",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-09-09T00:00:00.000000"
},
{
"description": "Ajout de l\u0027identifiant CVE-2024-53691.",
"revision_date": "2025-01-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-24",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-24"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-26",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-26"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-34",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-34"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-30",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-30"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-21",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-21"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-27",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-27"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-29",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-29"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-28",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-28"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-32",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-32"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-25",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-25"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-33",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-33"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-22",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-22"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-35",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-35"
}
]
}
CERTFR-2024-AVI-0428
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.7.2770 build 20240520",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.7.2770 build 20240520",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-21902",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21902"
},
{
"name": "CVE-2024-27128",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27128"
},
{
"name": "CVE-2024-27127",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27127"
},
{
"name": "CVE-2024-27130",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27130"
},
{
"name": "CVE-2024-27129",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27129"
}
],
"initial_release_date": "2024-05-22T00:00:00",
"last_revision_date": "2024-05-22T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0428",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-05-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2024-05-21",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-23",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-23"
}
]
}
CERTFR-2024-AVI-0354
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | N/A | QuTScloud versions c5.x antérieures à c5.1.5.2651 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.1.6.2722 build 20240402 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2627 build 20231225 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2626 build 20231225 | ||
| Qnap | N/A | myQNAPcloud versions 1.0.x antérieures à 1.0.52 | ||
| Qnap | N/A | Proxy Server versions 1.4.x antérieures à 1.4.6 | ||
| Qnap | N/A | myQNAPcloud Link versions 2.4.x antérieures à 2.4.51 | ||
| Qnap | N/A | Media Streaming add-on versions 500.1.x antérieures à 500.1.1.5 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.1.6.2734 build 20240414 | ||
| Qnap | N/A | QuFirewall versions 2.4.x antérieures à 2.4.1 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuTScloud versions c5.x ant\u00e9rieures \u00e0 c5.1.5.2651",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.6.2722 build 20240402",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2627 build 20231225",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2626 build 20231225",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "myQNAPcloud versions 1.0.x ant\u00e9rieures \u00e0 1.0.52",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Proxy Server versions 1.4.x ant\u00e9rieures \u00e0 1.4.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "myQNAPcloud Link versions 2.4.x ant\u00e9rieures \u00e0 2.4.51",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Media Streaming add-on versions 500.1.x ant\u00e9rieures \u00e0 500.1.1.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.6.2734 build 20240414",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuFirewall versions 2.4.x ant\u00e9rieures \u00e0 2.4.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2024-32766",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32766"
},
{
"name": "CVE-2023-5824",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5824"
},
{
"name": "CVE-2024-27124",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27124"
},
{
"name": "CVE-2023-50363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50363"
},
{
"name": "CVE-2023-46846",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46846"
},
{
"name": "CVE-2023-46847",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46847"
},
{
"name": "CVE-2023-41290",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-41290"
},
{
"name": "CVE-2024-21905",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21905"
},
{
"name": "CVE-2023-46724",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46724"
},
{
"name": "CVE-2024-21900",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21900"
},
{
"name": "CVE-2023-41291",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-41291"
},
{
"name": "CVE-2023-51365",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51365"
},
{
"name": "CVE-2024-21901",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21901"
},
{
"name": "CVE-2024-32764",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32764"
},
{
"name": "CVE-2023-50364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50364"
},
{
"name": "CVE-2024-21899",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21899"
},
{
"name": "CVE-2023-51364",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-51364"
},
{
"name": "CVE-2023-50362",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50362"
},
{
"name": "CVE-2023-47222",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47222"
},
{
"name": "CVE-2023-50361",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50361"
}
],
"initial_release_date": "2024-04-29T00:00:00",
"last_revision_date": "2024-04-29T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0354",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-04-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Qnap\u003c/span\u003e. Elles permettent \u00e0 un attaquant\nde provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0\nla confidentialit\u00e9 des donn\u00e9es et un contournement de la politique de\ns\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-16 du 26 avril 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-16"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-15 du 26 avril 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-15"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-18 du 26 avril 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-18"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-14 du 26 avril 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-14"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-20 du 26 avril 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-20"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-17 du 26 avril 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-17"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-24-09 du 09 mars 2024",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-09"
}
]
}
CERTFR-2024-AVI-0201
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection de code indirecte à distance (XSS), et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | N/A | QuTScloud versions c5.x antérieures à c5.1.5.2651 | ||
| Qnap | N/A | Photo Station versions 6.4.x antérieures à 6.4.2 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2627 build 20231225 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.1.4.2596 build 20231128 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.1.4.2596 build 20231128 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2626 build 20231225 | ||
| Qnap | N/A | myQNAPcloud versions 1.0.x antérieures à 1.0.52 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuTScloud versions c5.x ant\u00e9rieures \u00e0 c5.1.5.2651",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Photo Station versions 6.4.x ant\u00e9rieures \u00e0 6.4.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2627 build 20231225",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.4.2596 build 20231128",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.4.2596 build 20231128",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2626 build 20231225",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "myQNAPcloud versions 1.0.x ant\u00e9rieures \u00e0 1.0.52",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-34975",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34975"
},
{
"name": "CVE-2023-47221",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47221"
},
{
"name": "CVE-2024-21900",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21900"
},
{
"name": "CVE-2024-21901",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21901"
},
{
"name": "CVE-2024-21899",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21899"
},
{
"name": "CVE-2023-32969",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32969"
},
{
"name": "CVE-2023-34980",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34980"
}
],
"initial_release_date": "2024-03-11T00:00:00",
"last_revision_date": "2024-03-11T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0201",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-03-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Qnap\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, une injection de code indirecte \u00e0 distance (XSS), et une\natteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-09 du 09 mars 2024",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-24-09"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-11 du 09 mars 2024",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-24-11"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-12 du 09 mars 2024",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-24-12"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-13 du 09 mars 2024",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-24-13"
}
]
}