CVE-2023-47568

Published: Feb 2, 2024Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Affected (47)

Products: Qnap: Qts, Quts Hero, Qutscloud

3 products

Configuration A

47 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Version 4.5.4.1715 build_20210630
Qnap Qts	Version 4.5.4.1723 build_20210708
Qnap Qts	Version 4.5.4.1741 build_20210726
Qnap Qts	Version 4.5.4.1787 build_20210910
Qnap Qts	Version 4.5.4.1800 build_20210923
Qnap Qts	Version 4.5.4.1892 build_20211223
Qnap Qts	Version 4.5.4.1931 build_20220128
Qnap Qts	Version 4.5.4.2012 build_20220419
Qnap Qts	Version 4.5.4.2117 build_20220802
Qnap Qts	Version 4.5.4.2280 build_20230112
Qnap Qts	Version 4.5.4.2374 build_20230416
Qnap Qts	Version 4.5.4.2627
Qnap Qts	Version 5.1.0.2348 build_20230325
Qnap Qts	Version 5.1.0.2399 build_20230515
Qnap Qts	Version 5.1.0.2418 build_20230603
Qnap Qts	Version 5.1.0.2444 build_20230629
Qnap Qts	Version 5.1.0.2466 build_20230721
Qnap Qts	Version 5.1.1.2491 build_20230815
Qnap Qts	Version 5.1.2.2533 build_20230926
Qnap Qts	Version 5.1.3.2578 build_20231110
Qnap Qts	Version 5.1.4.2596 build_20231128
Qnap Qts	Version 5.1.5.2645
Qnap Quts Hero	Version h4.5.4.1771 build_20210825
Qnap Quts Hero	Version h4.5.4.1800 build_20210923
Qnap Quts Hero	Version h4.5.4.1813 build_20211006
Qnap Quts Hero	Version h4.5.4.1848 build_20211109
Qnap Quts Hero	Version h4.5.4.1892 build_20211223
Qnap Quts Hero	Version h4.5.4.1951 build_20220218
Qnap Quts Hero	Version h4.5.4.1971 build_20220310
Qnap Quts Hero	Version h4.5.4.1991 build_20220330
Qnap Quts Hero	Version h4.5.4.2052 build_20220530
Qnap Quts Hero	Version h4.5.4.2138 build_20220824
Qnap Quts Hero	Version h4.5.4.2217 build_20221111
Qnap Quts Hero	Version h4.5.4.2272 build_20230105
Qnap Quts Hero	Version h4.5.4.2374 build_20230417
Qnap Quts Hero	Version h4.5.4.2476 build_20230728
Qnap Quts Hero	Version h4.5.4.2626
Qnap Quts Hero	Version h5.1.0.2409 build_20230525
Qnap Quts Hero	Version h5.1.0.2424 build_20230609
Qnap Quts Hero	Version h5.1.0.2453 build_20230708
Qnap Quts Hero	Version h5.1.0.2466 build_20230721
Qnap Quts Hero	Version h5.1.1.2488 build_20230812
Qnap Quts Hero	Version h5.1.2.2534 build_20230927
Qnap Quts Hero	Version h5.1.3.2578 build_20231110
Qnap Quts Hero	Version h5.1.4.2596 build_20231128
Qnap Quts Hero	Version h5.1.5.2647
Qnap Qutscloud	Version c5.1.0.2498 build_20230822

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

https://www.qnap.com/en/security-advisory/qsa-24-05

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-24-05

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.