CVE-2024-21900

Published: Mar 8, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

Affected (5)

Products: Qnap: Qts, Quts Hero, Qutscloud

3 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Qnap Qts	Before 5.1.3.2578
Qnap Qts	Version 5.1.3.2578
Qnap Quts Hero	Before h5.1.3.2578
Qnap Quts Hero	Version h5.1.3.2578
Qnap Qutscloud	Before c5.1.5.2651

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (2)

https://www.qnap.com/en/security-advisory/qsa-24-09

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-24-09

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.