Qnap Qnap

  1. Vendors
  2. Qnap

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Qnap product.

Products by Qnap Sorted by Most Security Vulnerabilities since 2018

Qnap Qts142 vulnerabilities

Qnap Quts Hero100 vulnerabilities

Qnap Qutscloud52 vulnerabilities

Qnap Video Station9 vulnerabilities

Qnap Qvr9 vulnerabilities

Qnap Photo Station8 vulnerabilities

Qnap Qumagie7 vulnerabilities

Qnap Multimedia Console4 vulnerabilities

Qnap Helpdesk4 vulnerabilities

Qnap Music Station4 vulnerabilities

Qnap Qcalagent3 vulnerabilities

Myqnapcloud2 vulnerabilities

Qnap Qulog Center2 vulnerabilities

Qnap Qvpn2 vulnerabilities

Qnap Notes Station 32 vulnerabilities

Qnap Qsync Central1 vulnerability

Qnap Qvr Smart Client1 vulnerability

Qnap Qvr Firmware1 vulnerability

Qnap Qvr Pro Client1 vulnerability

Qnap Qusbcam21 vulnerability

Qnap Container Station1 vulnerability

Qnap Media Streaming Add On1 vulnerability

Qnap Download Station1 vulnerability

Known Exploited Qnap Vulnerabilities

The following Qnap vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
QNAP VioStor NVR OS Command Injection Vulnerability QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
CVE-2023-47565 Exploit Probability: 49.3% 		December 21, 2023
QNAP Photo Station Externally Controlled Reference Vulnerability Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
CVE-2022-27593 Exploit Probability: 94.1% 		September 8, 2022
QNAP Photo Station Path Traversal Vulnerability QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
CVE-2019-7195 Exploit Probability: 89.3% 		June 8, 2022
QNAP Photo Station Path Traversal Vulnerability QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
CVE-2019-7194 Exploit Probability: 88.9% 		June 8, 2022
QNAP QTS Improper Input Validation Vulnerability QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system.
CVE-2019-7193 Exploit Probability: 61.6% 		June 8, 2022
QNAP Photo Station Improper Access Control Vulnerability QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.
CVE-2019-7192 Exploit Probability: 94.3% 		June 8, 2022
QNAP NAS File Station Cross-Site Scripting Vulnerability A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code.
CVE-2018-19953 Exploit Probability: 38.7% 		May 24, 2022
QNAP NAS File Station Command Injection Vulnerability A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands.
CVE-2018-19949 Exploit Probability: 69.2% 		May 24, 2022
QNAP NAS File Station Cross-Site Scripting Vulnerability A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code.
CVE-2018-19943 Exploit Probability: 10.0% 		May 24, 2022
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.
CVE-2020-2509 Exploit Probability: 89.6% 		April 11, 2022
QNAP NAS Improper Authorization Vulnerability QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device.
CVE-2021-28799 Exploit Probability: 88.1% 		March 31, 2022

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited Qnap vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 0 vulnerabilities in Qnap. Last year, in 2024 Qnap had 91 security vulnerabilities published. Right now, Qnap is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 91 7.26
2023 37 7.16
2022 18 8.37
2021 30 8.07
2020 18 7.07
2019 6 8.25
2018 17 7.84

It may take a day or so for new Qnap vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Qnap Security Vulnerabilities

QNAP OS Improper Certificate Validation Vulnerability

CVE-2024-48865 - December 06, 2024

An improper certificate validation vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow attackers with local network access to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

Improper Certificate Validation

QNAP OS URL Encoding Vulnerability

CVE-2024-48866 - December 06, 2024

An improper handling of URL encoding (Hex Encoding) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

Hex Encoding

QNAP OS: CRLF Injection Vulnerability in HTTP Headers

CVE-2024-48867 - December 06, 2024

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

CRLF Injection

QNAP OS CRLF Injection Vulnerability in HTTP Headers

CVE-2024-48868 - December 06, 2024

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

CRLF Injection

QNAP NAS SQL Injection Vulnerability in SMB Service

CVE-2024-50387 - December 06, 2024

A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to inject malicious code. We have already fixed the vulnerability in the following version: SMB Service 4.15.002 and later SMB Service h4.15.002 and later

SQL Injection

QNAP OS Command Injection Vulnerability

CVE-2024-50393 - December 06, 2024

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

Shell injection

QNAP OS Format String Vulnerability in QTS and QuTS hero

CVE-2024-50402 - December 06, 2024

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later

Use of Externally-Controlled Format String

QNAP OS: Remote Code Execution via Format String Vulnerability

CVE-2024-50403 - December 06, 2024

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.2.2.2952 build 20241116 and later

Use of Externally-Controlled Format String

QNAP Operating System: Remote Link Following Vulnerability

CVE-2024-53691 - December 06, 2024

A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QTS 5.2.0.2802 build 20240620 and later QuTS hero h5.1.8.2823 build 20240712 and later QuTS hero h5.2.0.2802 build 20240620 and later

insecure temporary file

A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3

CVE-2024-27122 5.4 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: Notes Station 3 3.9.6 and later

XSS

A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk

CVE-2024-27125 4.8 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following version: Helpdesk 3.3.1 and later

XSS

An improper authentication vulnerability has been reported to affect Music Station

CVE-2023-45038 8.8 - High - September 06, 2024

An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later

authentification

An OS command injection vulnerability has been reported to affect Video Station

CVE-2023-47563 8.8 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later

Shell injection

A SQL injection vulnerability has been reported to affect Video Station

CVE-2023-50360 8.8 - High - September 06, 2024

A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.1 ( 2024/02/26 ) and later

SQL Injection

An unquoted search path or element vulnerability has been reported to affect QVR Smart Client

CVE-2022-27592 6.7 - Medium - September 06, 2024

An unquoted search path or element vulnerability has been reported to affect QVR Smart Client. If exploited, the vulnerability could allow local authenticated administrators to execute unauthorized code or commands via unspecified vectors. We have already fixed the vulnerability in the following version: Windows 10 SP1, Windows 11, Mac OS, and Mac M1: QVR Smart Client 2.4.0.0570 and later

Unquoted Search Path or Element

An OS command injection vulnerability has been reported to affect legacy QTS

CVE-2023-39300 7.2 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect legacy QTS. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.3.6.2805 build 20240619 and later QTS 4.3.4.2814 build 20240618 and later QTS 4.3.3.2784 build 20240619 and later QTS 4.2.6 build 20240618 and later

Shell injection

A missing authorization vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39298 7.8 - High - September 06, 2024

A missing authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated users to access data or perform actions that they should not be allowed to perform via unspecified vectors. QuTScloud, is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2737 build 20240417 and later QuTS hero h5.2.0.2782 build 20240601 and later

AuthZ

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21906 4.7 - Medium - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Shell injection

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-32763 8.8 - High - September 06, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Classic Buffer Overflow

A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3

CVE-2024-27126 5.4 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: Notes Station 3 3.9.6 and later

XSS

A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center

CVE-2024-32762 6.1 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QuLog Center 1.8.0.872 ( 2024/06/17 ) and later QuLog Center 1.7.0.827 ( 2024/06/17 ) and later

XSS

An improper restriction of excessive authentication attempts vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-32771 2.4 - Low - September 06, 2024

An improper restriction of excessive authentication attempts vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network authenticated administrators to perform an arbitrary number of authentication attempts via unspecified vectors. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2782 build 20240601 and later QuTS hero h5.2.0.2782 build 20240601 and later

Improper Restriction of Excessive Authentication Attempts

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-34979 7.2 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2790 build 20240606 and later

Shell injection

A cross-site scripting (XSS) vulnerability has been reported to affect Download Station

CVE-2024-38640 5.4 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Download Station 5.8.6.283 ( 2024/06/21 ) and later

XSS

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-38641 7.8 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network users to execute commands via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Shell injection

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-50366 4.8 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

XSS

A path traversal vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-51366 6.5 - Medium - September 06, 2024

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Directory traversal

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-51367 8.8 - High - September 06, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Classic Buffer Overflow

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-51368 6.5 - Medium - September 06, 2024

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

NULL Pointer Dereference

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21897 5.4 - Medium - September 06, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

XSS

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21898 8.8 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Shell injection

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21903 4.7 - Medium - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Shell injection

A path traversal vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21904 6.5 - Medium - September 06, 2024

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Directory traversal

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-34974 8.8 - High - September 06, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. QuTScloud, QVR, QES are not affected. We have already fixed the vulnerability in the following versions: QTS 4.5.4.2790 build 20240605 and later QuTS hero h4.5.4.2626 build 20231225 and later

Shell injection

An improper certificate validation vulnerability has been reported to affect QuMagie

CVE-2024-38642 7.8 - High - September 06, 2024

An improper certificate validation vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow local network users to compromise the security of the system via unspecified vectors. We have already fixed the vulnerability in the following version: QuMagie 2.3.1 and later

Improper Certificate Validation

An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21902 8.1 - High - May 21, 2024

An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Information Disclosure

A double free vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-27127 8.8 - High - May 21, 2024

A double free vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute arbitrary code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Double-free

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-27128 8.8 - High - May 21, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-27129 8.8 - High - May 21, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-27130 8.8 - High - May 21, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-50361 8.8 - High - April 26, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-50362 8.8 - High - April 26, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Classic Buffer Overflow

An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-50363 8.1 - High - April 26, 2024

An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

AuthZ

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-50364 8.8 - High - April 26, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Classic Buffer Overflow

An improper authentication vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21899 9.8 - Critical - March 08, 2024

An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

authentification

An injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2024-21900 6.5 - Medium - March 08, 2024

An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

Injection

A SQL injection vulnerability has been reported to affect myQNAPcloud

CVE-2024-21901 4.7 - Medium - March 08, 2024

A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later

SQL Injection

A heap-based buffer overflow vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41273 7.2 - High - February 02, 2024

A heap-based buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Memory Corruption

An unchecked return value vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-50359 6.7 - Medium - February 02, 2024

An unchecked return value vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later

Unchecked Return Value

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-47566 7.2 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Shell injection

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45037 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45036 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45028 4.9 - Medium - February 02, 2024

An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Allocation of Resources Without Limits or Throttling

A path traversal vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45027 4.9 - Medium - February 02, 2024

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Directory traversal

A path traversal vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45026 4.9 - Medium - February 02, 2024

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later

Directory traversal

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41292 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41283 7.2 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later

Shell injection

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41282 7.2 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later

Shell injection

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41281 7.2 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later

Shell injection

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41280 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41279 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41278 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41277 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41275 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41274 4.9 - Medium - February 02, 2024

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

NULL Pointer Dereference

An improper authentication vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39303 9.8 - Critical - February 02, 2024

An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

authentification

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39302 7.2 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

Shell injection

An OS command injection vulnerability has been reported to affect Photo Station

CVE-2023-47562 8.8 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later

Command Injection

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station

CVE-2023-47561 5.4 - Medium - February 02, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later

XSS

A SQL injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-47568 8.8 - High - February 02, 2024

A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

SQL Injection

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-47567 7.2 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Shell injection

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45035 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45025 9.8 - Critical - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Shell injection

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39297 8.8 - High - February 02, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Shell injection

An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-32967 6.5 - Medium - February 02, 2024

An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network. QTS 5.x, QuTS hero are not affected. We have already fixed the vulnerability in the following versions: QuTScloud c5.1.5.2651 and later QTS 4.5.4.2627 build 20231225 and later

AuthZ

An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central

CVE-2023-47564 8.1 - High - February 02, 2024

An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.15 ( 2024/01/04 ) and later Qsync Central 4.3.0.11 ( 2024/01/11 ) and later

Incorrect Permission Assignment for Critical Resource

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-41276 7.2 - High - February 02, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.1.2.2534 build 20230927 and later QuTScloud c5.1.5.2651 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45044 7.2 - High - January 05, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later

Classic Buffer Overflow

A SQL injection vulnerability has been reported to affect QuMagie

CVE-2023-47219 8.8 - High - January 05, 2024

A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later

SQL Injection

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45043 7.2 - High - January 05, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45042 7.2 - High - January 05, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45041 7.2 - High - January 05, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45040 7.2 - High - January 05, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-45039 7.2 - High - January 05, 2024

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later

Classic Buffer Overflow

An OS command injection vulnerability has been reported to affect Video Station

CVE-2023-41288 8.8 - High - January 05, 2024

An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.2 ( 2023/11/23 ) and later

Shell injection

A SQL injection vulnerability has been reported to affect Video Station

CVE-2023-41287 8.8 - High - January 05, 2024

A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.2 ( 2023/11/23 ) and later

SQL Injection

An OS command injection vulnerability has been reported to affect QuMagie

CVE-2023-47560 8.8 - High - January 05, 2024

An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later

Shell injection

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie

CVE-2023-47559 5.4 - Medium - January 05, 2024

A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later

XSS

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39296 7.5 - High - January 05, 2024

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

Prototype Pollution

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39294 7.2 - High - January 05, 2024

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

Shell injection

An OS command injection vulnerability has been reported to affect QcalAgent

CVE-2023-41289 8.8 - High - January 05, 2024

An OS command injection vulnerability has been reported to affect QcalAgent. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QcalAgent 1.1.8 and later

Shell injection

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-32968 7.2 - High - December 08, 2023

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.2.2534 build 20230927 and later

Classic Buffer Overflow

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-32975 7.2 - High - December 08, 2023

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.2.2534 build 20230927 and later

Classic Buffer Overflow

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x

CVE-2023-47565 8.8 - High - December 08, 2023

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later

Shell injection

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-23372 6.1 - Medium - December 08, 2023

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h4.5.4.2476 build 20230728 and later

XSS

A SQL injection vulnerability has been reported to affect QuMagie

CVE-2023-41284 8.8 - High - November 10, 2023

A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.4 and later

A SQL injection vulnerability has been reported to affect QuMagie

CVE-2023-41285 8.8 - High - November 10, 2023

A SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.4 and later

An OS command injection vulnerability has been reported to affect QuMagie

CVE-2023-39295 8.8 - High - November 10, 2023

An OS command injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: QuMagie 2.1.3 and later

An OS command injection vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-23367 7.2 - High - November 10, 2023

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later

A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions

CVE-2023-39301 4.3 - Medium - November 03, 2023

A server-side request forgery (SSRF) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read application data via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.1.2491 build 20230815 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.1.2488 build 20230812 and later QuTScloud c5.1.0.2498 and later

SSRF

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.