Qnap
Products by Qnap Sorted by Most Security Vulnerabilities since 2018
Known Exploited Qnap Vulnerabilities
The following Qnap vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
QNAP VioStor NVR OS Command Injection Vulnerability | QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network. CVE-2023-47565 | December 21, 2023 |
QNAP Photo Station Externally Controlled Reference Vulnerability | Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. CVE-2022-27593 | September 8, 2022 |
QNAP Photo Station Path Traversal Vulnerability | QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7195 | June 8, 2022 |
QNAP Photo Station Path Traversal Vulnerability | QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files. CVE-2019-7194 | June 8, 2022 |
QNAP QTS Improper Input Validation Vulnerability | QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. CVE-2019-7193 | June 8, 2022 |
QNAP Photo Station Improper Access Control Vulnerability | QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. CVE-2019-7192 | June 8, 2022 |
QNAP NAS File Station Cross-Site Scripting Vulnerability | A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19953 | May 24, 2022 |
QNAP NAS File Station Command Injection Vulnerability | A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. CVE-2018-19949 | May 24, 2022 |
QNAP NAS File Station Cross-Site Scripting Vulnerability | A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. CVE-2018-19943 | May 24, 2022 |
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability | QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. CVE-2020-2509 | April 11, 2022 |
QNAP NAS Improper Authorization Vulnerability | QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. CVE-2021-28799 | March 31, 2022 |
By the Year
In 2024 there have been 47 vulnerabilities in Qnap with an average score of 7.3 out of ten. Last year Qnap had 37 security vulnerabilities published. That is, 10 more vulnerabilities have already been reported in 2024 as compared to last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.14.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 47 | 7.30 |
2023 | 37 | 7.16 |
2022 | 18 | 8.37 |
2021 | 30 | 8.07 |
2020 | 15 | 7.06 |
2019 | 6 | 8.25 |
2018 | 17 | 7.84 |
It may take a day or so for new Qnap vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Qnap Security Vulnerabilities
A SQL injection vulnerability has been reported to affect myQNAPcloud
CVE-2024-21901
4.7 - Medium
- March 08, 2024
A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later
SQL Injection
An injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21900
6.5 - Medium
- March 08, 2024
An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later
Injection
An improper authentication vulnerability has been reported to affect several QNAP operating system versions
CVE-2024-21899
9.8 - Critical
- March 08, 2024
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
authentification
An unchecked return value vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-50359
6.7 - Medium
- February 02, 2024
An unchecked return value vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later
Unchecked Return Value
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-47566
7.2 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later
Shell injection
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45037
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45036
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45028
4.9 - Medium
- February 02, 2024
An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later
Allocation of Resources Without Limits or Throttling
A path traversal vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45027
4.9 - Medium
- February 02, 2024
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later
Directory traversal
A path traversal vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45026
4.9 - Medium
- February 02, 2024
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later
Directory traversal
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41292
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41283
7.2 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later
Shell injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41282
7.2 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later
Shell injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41281
7.2 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later
Shell injection
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41280
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41279
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41278
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41277
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41276
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41275
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41274
4.9 - Medium
- February 02, 2024
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
NULL Pointer Dereference
A heap-based buffer overflow vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-41273
7.2 - High
- February 02, 2024
A heap-based buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later
Memory Corruption
An improper authentication vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39303
9.8 - Critical
- February 02, 2024
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later
authentification
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39302
7.2 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later
Shell injection
An OS command injection vulnerability has been reported to affect Photo Station
CVE-2023-47562
8.8 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later
Command Injection
A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station
CVE-2023-47561
5.4 - Medium
- February 02, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later
XSS
A SQL injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-47568
8.8 - High
- February 02, 2024
A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
SQL Injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-47567
7.2 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
Shell injection
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45035
7.2 - High
- February 02, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later
Classic Buffer Overflow
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45025
9.8 - Critical
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
Shell injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39297
8.8 - High
- February 02, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later
Shell injection
An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32967
6.5 - Medium
- February 02, 2024
An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. QTS 5.x, QuTS hero are not affected. We have already fixed the vulnerability in the following versions: QuTScloud c5.1.5.2651 and later QTS 4.5.4.2627 build 20231225 and later
AuthZ
An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central
CVE-2023-47564
8.1 - High
- February 02, 2024
An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.15 ( 2024/01/04 ) and later Qsync Central 4.3.0.11 ( 2024/01/11 ) and later
Incorrect Permission Assignment for Critical Resource
A SQL injection vulnerability has been reported to affect QuMagie
CVE-2023-47219
8.8 - High
- January 05, 2024
A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later
SQL Injection
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45044
7.2 - High
- January 05, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45043
7.2 - High
- January 05, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45042
7.2 - High
- January 05, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45041
7.2 - High
- January 05, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45040
7.2 - High
- January 05, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-45039
7.2 - High
- January 05, 2024
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later
Classic Buffer Overflow
An OS command injection vulnerability has been reported to affect QcalAgent
CVE-2023-41289
8.8 - High
- January 05, 2024
An OS command injection vulnerability has been reported to affect QcalAgent. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QcalAgent 1.1.8 and later
Shell injection
An OS command injection vulnerability has been reported to affect Video Station
CVE-2023-41288
8.8 - High
- January 05, 2024
An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.2 ( 2023/11/23 ) and later
Shell injection
A SQL injection vulnerability has been reported to affect Video Station
CVE-2023-41287
8.8 - High
- January 05, 2024
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.2 ( 2023/11/23 ) and later
SQL Injection
An OS command injection vulnerability has been reported to affect QuMagie
CVE-2023-47560
8.8 - High
- January 05, 2024
An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later
Shell injection
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie
CVE-2023-47559
5.4 - Medium
- January 05, 2024
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later
XSS
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39296
7.5 - High
- January 05, 2024
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later
Prototype Pollution
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39294
7.2 - High
- January 05, 2024
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later
Shell injection
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-23372
6.1 - Medium
- December 08, 2023
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h4.5.4.2476 build 20230728 and later
XSS
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x
CVE-2023-47565
8.8 - High
- December 08, 2023
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later
Shell injection
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32975
7.2 - High
- December 08, 2023
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.2.2534 build 20230927 and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32968
7.2 - High
- December 08, 2023
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.2.2534 build 20230927 and later
Classic Buffer Overflow
A SQL injection vulnerability has been reported to affect QuMagie
CVE-2023-41285
8.8 - High
- November 10, 2023
A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.4 and later
A SQL injection vulnerability has been reported to affect QuMagie
CVE-2023-41284
8.8 - High
- November 10, 2023
A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.4 and later
An OS command injection vulnerability has been reported to affect QuMagie
CVE-2023-39295
8.8 - High
- November 10, 2023
An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.3 and later
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-23367
7.2 - High
- November 10, 2023
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later
A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-39301
4.3 - Medium
- November 03, 2023
A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read application data via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.1.2491 build 20230815 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.1.2488 build 20230812 and later QuTScloud c5.1.0.2498 and later
XSPA
A path traversal vulnerability has been reported to affect Music Station
CVE-2023-39299
7.5 - High
- November 03, 2023
A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: Music Station 4.8.11 and later Music Station 5.1.16 and later Music Station 5.3.23 and later
Directory traversal
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-23369
9.8 - Critical
- November 03, 2023
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later
Shell injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-23368
9.8 - Critical
- November 03, 2023
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later
Shell injection
An OS command injection vulnerability has been reported to affect QUSBCam2
CVE-2023-23373
8.8 - High
- October 20, 2023
An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following version: QUSBCam2 2.0.3 ( 2023/06/15 ) and later
Shell injection
A cross-site scripting (XSS) vulnerability has been reported to affect Video Station
CVE-2023-34977
5.4 - Medium
- October 13, 2023
A cross-site scripting (XSS) vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.0 ( 2023/07/27 ) and later
XSS
A SQL injection vulnerability has been reported to affect Video Station
CVE-2023-34976
8.8 - High
- October 13, 2023
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.0 ( 2023/07/27 ) and later
SQL Injection
An OS command injection vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-34975
8.8 - High
- October 13, 2023
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud c5.1.x is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later
Shell injection
An OS command injection vulnerability has been reported to affect Container Station
CVE-2023-32976
7.2 - High
- October 13, 2023
An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following version: Container Station 2.6.7.44 and later
Shell injection
A path traversal vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32974
7.5 - High
- October 13, 2023
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.0.2444 build 20230629 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTScloud c5.1.0.2498 and later
Directory traversal
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32973
7.2 - High
- October 13, 2023
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later QuTScloud c5.1.0.2498 and later
Memory Corruption
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32970
4.9 - Medium
- October 13, 2023
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. QES is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.0.2453 build 20230708 and later QuTS hero h4.5.4.2476 build 20230728 and later QuTScloud c5.1.0.2498 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later
NULL Pointer Dereference
A path traversal vulnerability has been reported to affect Music Station
CVE-2023-23366
6.5 - Medium
- October 06, 2023
A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow authenticated users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Music Station 5.3.22 and later
Directory traversal
A path traversal vulnerability has been reported to affect Music Station
CVE-2023-23365
6.5 - Medium
- October 06, 2023
A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow authenticated users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Music Station 5.3.22 and later
Directory traversal
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32972
7.2 - High
- October 06, 2023
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later QuTScloud c5.1.0.2498 and later
Memory Corruption
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions
CVE-2023-32971
7.2 - High
- October 06, 2023
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later QuTScloud c5.1.0.2498 and later
Memory Corruption
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client
CVE-2023-23371
4.4 - Medium
- October 06, 2023
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.2.0.0823 and later
Cleartext Transmission of Sensitive Information
An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client
CVE-2023-23370
4.4 - Medium
- October 06, 2023
An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to gain access to user accounts and access sensitive data used by the user account via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.1.0.0518 and later
Insufficiently Protected Credentials
A buffer copy without checking size of input vulnerability has been reported to affect QNAP operating systems
CVE-2023-23364
9.8 - Critical
- September 22, 2023
A buffer copy without checking size of input vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote users to execute code via unspecified vectors. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.1 ( 2023/03/29 ) and later Multimedia Console 1.4.7 ( 2023/03/20 ) and later
Classic Buffer Overflow
A buffer copy without checking size of input vulnerability has been reported to affect QNAP operating system
CVE-2023-23363
9.8 - Critical
- September 22, 2023
A buffer copy without checking size of input vulnerability has been reported to affect QNAP operating system. If exploited, the vulnerability possibly allows remote users to execute code via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2441 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later
Classic Buffer Overflow
An OS command injection vulnerability has been reported to affect QNAP operating systems
CVE-2023-23362
8.8 - High
- September 22, 2023
An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability allows remote authenticated users to execute commands via susceptible QNAP devices. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later
Shell injection
An insertion of sensitive information into Log file vulnerability has been reported to affect product
CVE-2022-27599
4.4 - Medium
- September 08, 2023
An insertion of sensitive information into Log file vulnerability has been reported to affect product. If exploited, the vulnerability possibly provides local authenticated administrators with an additional, less-protected path to acquiring the information via unspecified vectors. We have already fixed the vulnerability in the following version: Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Pro Client 2.3.0.0420 and later
Insertion of Sensitive Information into Log File
An insufficient entropy vulnerability has been reported to affect QNAP operating systems
CVE-2023-34973
5.3 - Medium
- August 24, 2023
An insufficient entropy vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote users to predict secret via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QuTS hero h5.1.0.2424 build 20230609 and later
Insufficient Entropy
A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems
CVE-2023-34972
6.5 - Medium
- August 24, 2023
A cleartext transmission of sensitive information vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to read the contents of unexpected sensitive data via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QuTS hero h5.1.0.2424 build 20230609 and later
Cleartext Transmission of Sensitive Information
An inadequate encryption strength vulnerability has been reported to affect QNAP operating systems
CVE-2023-34971
8.8 - High
- August 24, 2023
An inadequate encryption strength vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows local network clients to decrypt the data using brute force attacks via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h4.5.4.2476 build 20230728 and later
Inadequate Encryption Strength
A vulnerability has been reported to affect QNAP operating systems
CVE-2022-27598
2.7 - Low
- March 29, 2023
A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later
A vulnerability has been reported to affect QNAP operating systems
CVE-2022-27597
2.7 - Low
- March 29, 2023
A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later
An OS command injection vulnerability has been reported to affect QNAP operating systems
CVE-2023-23355
7.2 - High
- March 29, 2023
An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors. QES is not affected. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2348 build 20230324 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later
Command Injection
A vulnerability has been reported to affect QNAP device running QuTS hero, QTS
CVE-2022-27596
9.8 - Critical
- January 30, 2023
A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QuTS hero, QTS: QuTS hero h5.0.1.2248 build 20221215 and later QTS 5.0.1.2234 build 20221201 and later
SQL Injection
We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later
CVE-2022-27588
9.8 - Critical
- May 05, 2022
We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later
Command Injection
An improper authentication vulnerability has been reported to affect QNAP device running Photo Station
CVE-2021-44057
9.8 - Critical
- May 05, 2022
An improper authentication vulnerability has been reported to affect QNAP device running Photo Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Photo Station: Photo Station 6.0.20 ( 2022/02/15 ) and later Photo Station 5.7.16 ( 2022/02/11 ) and later Photo Station 5.4.13 ( 2022/02/11 ) and later
authentification
An improper authentication vulnerability has been reported to affect QNAP device running Video Station
CVE-2021-44056
9.8 - Critical
- May 05, 2022
An improper authentication vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 and later Video Station 5.3.13 and later Video Station 5.1.8 and later
authentification
An missing authorization vulnerability has been reported to affect QNAP device running Video Station
CVE-2021-44055
9.8 - Critical
- May 05, 2022
An missing authorization vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows remote attackers to access data or perform actions that they should not be allowed to perform. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 ( 2022/02/16 ) and later
AuthZ
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS
CVE-2021-44054
6.1 - Medium
- May 05, 2022
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Open Redirect
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud
CVE-2021-44053
6.1 - Medium
- May 05, 2022
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later
XSS
An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud
CVE-2021-44052
8.1 - High
- May 05, 2022
An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
insecure temporary file
A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS
CVE-2021-44051
8.8 - High
- May 05, 2022
A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later
Command Injection
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance
CVE-2021-38693
5.3 - Medium
- May 05, 2022
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Directory traversal
An improper authentication vulnerability has been reported to affect QNAP NAS running Kazoo Server
CVE-2021-38679
9.8 - Critical
- February 11, 2022
An improper authentication vulnerability has been reported to affect QNAP NAS running Kazoo Server. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.22 and later
authentification
An open redirect vulnerability has been reported to affect QNAP device running QcalAgent
CVE-2021-38678
6.1 - Medium
- January 14, 2022
An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later
Open Redirect
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent
CVE-2021-38677
6.1 - Medium
- January 14, 2022
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later
XSS
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard
CVE-2021-38692
9.8 - Critical
- January 14, 2022
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QVR Elite, QVR Pro, QVR Guard: QuTS hero h5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QuTS hero h4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 4.5.4: QVR Guard 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Guard 2.1.3.0 (2021/12/06) and later
Memory Corruption
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard
CVE-2021-38691
9.8 - Critical
- January 14, 2022
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QVR Elite, QVR Pro, QVR Guard: QuTS hero h5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QuTS hero h4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 4.5.4: QVR Guard 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Guard 2.1.3.0 (2021/12/06) and later
Memory Corruption
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard
CVE-2021-38690
9.8 - Critical
- January 14, 2022
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QVR Elite, QVR Pro, QVR Guard: QuTS hero h5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QuTS hero h4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 4.5.4: QVR Guard 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Guard 2.1.3.0 (2021/12/06) and later
Memory Corruption
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard
CVE-2021-38689
9.8 - Critical
- January 14, 2022
A stack buffer overflow vulnerability has been reported to affect QNAP device running QVR Elite, QVR Pro, QVR Guard. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QVR Elite, QVR Pro, QVR Guard: QuTS hero h5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QuTS hero h4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 5.0.0: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Elite 2.1.4.0 (2021/12/06) and later QTS 4.5.4: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Pro 2.1.3.0 (2021/12/06) and later QTS 4.5.4: QVR Guard 2.1.3.0 (2021/12/06) and later QTS 5.0.0: QVR Guard 2.1.3.0 (2021/12/06) and later
Memory Corruption