CRLF Injection in QTS 5.2.3.3006+ QNAP OS Remote Data Modification
CVE-2024-53693 Published on March 7, 2025

QTS, QuTS hero
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

NVD

Vulnerability Analysis

CVE-2024-53693 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Types

What is a CRLF Injection Vulnerability?

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CVE-2024-53693 has been classified to as a CRLF Injection vulnerability or weakness.

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2024-53693 has been classified to as a Code Injection vulnerability or weakness.

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2024-53693 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2024-53693

Want to know whenever a new CVE is published for QNAP Qts? stack.watch will email you.

QNAP Qts
 

Affected Versions

QNAP Systems Inc. QTS: QNAP Systems Inc. QuTS hero:

Exploit Probability

EPSS
0.15%
Percentile
35.64%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.