Qnap Published 5 Security Advisories for Resolved Vulnerabilities

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of Qnap products.

Use the following information and solutions to correct the security issues and vulnerabilities:

Advisories includes following:

Vulnerabilities in ClamAV

Security ID: QSA-23-26
Release date: October 7, 2023
CVE identifier: CVE-2023-20032 | CVE-2023-20052
Severity: Medium
Status: Resolved
Affected products: QTS 5.0.x, QuTS hero h5.0.x, QuTScloud c5.0.1

Summary
Multiple vulnerabilities have been reported in ClamAV.

The company have already fixed vulnerabilities in following affected Qnap OSs:

Affected product	Fixed version
QTS 5.0.x	QTS 5.0.1.2376 build 20230421 and later
QuTS hero h5.0.x	QuTS hero h5.0.1.2376 build 20230421 and later
QuTScloud c5.0.1	QuTScloud c5.0.1.2374 and later

Learn more

Vulnerabilities in Music Station

Security ID: QSA-23-28
Release date: October 7, 2023
CVE identifier: CVE-2023-23365 | CVE-2023-23366
Severity: High
Status: Resolved
Affected products: Music Station 5.3.x

Summary
Two path traversal vulnerabilities have been reported to affect Music Station. If exploited, the vulnerabilities could allow authenticated users to read the contents of unexpected files and expose sensitive data via a network.

The company have already fixed vulnerability in following version:

Affected product	Fixed version
Music Station 5.3.x	Music Station 5.3.22 and later

Learn more

Vulnerability in QVPN Device Client for Windows

Security ID: QSA-23-36
Release date: October 7, 2023

CVE identifier: CVE-2023-23370
Severity: Medium
Status: Resolved
Affected products: QVPN Windows 2.1.x

Summary
An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client for Windows. If exploited, the vulnerability could allow a local authenticated administrator to gain access to user accounts and the sensitive data they use via unspecified vectors.

The company have already fixed vulnerability in following version:

Affected product	Fixed version
QVPN Windows 2.1.x	QVPN Windows 2.1.0.0518 and later

Learn more

Vulnerability in QTS, QuTS hero, and QuTScloud

Security ID: QSA-23-37
Release date: October 7, 2023
CVE identifier: CVE-2023-32971 | CVE-2023-32972
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, 5.0.x, 4.5.x; QuTS hero h5.1.x, h5.0.x, h4.5.x; QuTScloud c5.x

Summary
A buffer copy without checking size of input vulnerability has been reported to affect several Qnap OSs If exploited, the vulnerability could allow authenticated administrators to execute code via a network.

The company have already fixed vulnerability in following OSs versions:

Affected product	Fixed version
QTS 5.0.x	QTS 5.0.1.2425 build 20230609 and later
QTS 5.1.x	QTS 5.1.0.2444 build 20230629 and later
QTS 4.5.x	QTS 4.5.4.2467 build 20230718 and later
QuTS hero h5.0.x	QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h5.1.x	QuTS hero h5.1.0.2424 build 20230609 and later
QuTS hero h4.5.x	QuTS hero h4.5.4.2476 build 20230728 and later
QuTScloud c5.x	QuTScloud c5.1.0.2498 and later

Learn more

Vulnerability in QVPN Device Client for Windows

Security ID: QSA-23-39
Release date: October 7, 2023
CVE identifier: CVE-2023-23371
Severity: Low
Status: Resolved
Affected products: QVPN Windows 2.2.x

Summary
A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client for Windows. If exploited, the vulnerability could allow local authenticated administrators to read sensitive data via unspecified vectors.

The company have already fixed vulnerability in following version: