QNAP QTS/QuTS Hero CRLF Injection Remote Admin Data Mod (before 5.2.3.3006)
CVE-2024-50405 Published on March 7, 2025

QTS, QuTS hero
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

NVD

Vulnerability Analysis

CVE-2024-50405 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Types

What is a CRLF Injection Vulnerability?

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CVE-2024-50405 has been classified to as a CRLF Injection vulnerability or weakness.

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2024-50405 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2024-50405

Want to know whenever a new CVE is published for QNAP Qts? stack.watch will email you.

QNAP Qts
 

Affected Versions

QNAP Systems Inc. QTS: QNAP Systems Inc. QuTS hero:

Exploit Probability

EPSS
0.16%
Percentile
36.26%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.