Qnap Six Security Advisories on Resolved Vulnerabilities
In Netatalk, QuMagie, QTS and QuTS hero NAS OSs, QcalAgent, and Video Station
This is a Press Release edited by StorageNewsletter.com on January 11, 2024 at 2:00 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of its products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
- Vulnerability in Netatalk (ID: QSA-23-22)
- Multiple Vulnerabilities in QuMagie (ID: QSA-23-23)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-23-27)
- Vulnerability in QuMagie (ID: QSA-23-32)
- Vulnerability in QcalAgent (ID: QSA-23-34)
- Vulnerability in QTS and QuTS hero (ID: QSA-23-54)
- Multiple Vulnerabilities in Video Station (ID: QSA-23-55)
- Vulnerability in QTS and QuTS hero (ID: QSA-23-64)
Vulnerability in Netatalk
Security ID: QSA-23-22
Release date: January 6, 2024
CVE identifier: CVE-2022-43634
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary
A vulnerability has been reported in Netatalk which affects certain Qnap OSs versions.
The company have already fixed vulnerability in following versions:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.3.2578 build 20231110 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.3.2578 build 20231110 and later |
Multiple Vulnerabilities in QuMagie
Security ID: QSA-23-23
Release date: January 6, 2024
CVE identifier: CVE-2023-47559 | CVE-2023-47560
Severity: High
Status: Resolved
Affected products: QuMagie 2.2.x
Summary:
Two vulnerabilities have been reported to affect QuMagie:
-
CVE-2023-47559: If exploited, the cross-site scripting (XSS) vulnerability could allow authenticated users to inject malicious code via a network.
-
CVE-2023-47560: If exploited, the OS command injection vulnerability could allow authenticated users to execute commands via a network.
The company have already fixed vulnerabilities in following version:
|
Affected product |
Fixed version |
|
QuMagie 2.2.x |
QuMagie 2.2.1 and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-23-27
Release date: January 6, 2024
CVE identifier: CVE-2023-45039 | CVE-2023-45040 | CVE-2023-45041 | CVE-2023-45042 | CVE-2023-45043 | CVE-2023-45044
Severity: Low
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary:
Multiple buffer copy without checking size of input vulnerabilities have been reported to affect certain Qnap OSs versions. If exploited, the vulnerabilities could allow authenticated administrators to execute code via a network.
The company have already fixed vulnerabilities in following versions:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.4.2596 build 20231128 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.4.2596 build 20231128 and later |
Vulnerability in QuMagie
Security ID: QSA-23-32
Release date: January 6, 2024
CVE identifier: CVE-2023-47219
Severity: Low
Status: Resolved
Affected products: QuMagie 2.2.x
Summary :
An SQL injection vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
QuMagie 2.2.x |
QuMagie 2.2.1 and later |
Vulnerability in QcalAgent
Security ID: QSA-23-34
Release date: January 6, 2024
CVE identifier: CVE-2023-41289
Severity: Medium
Status: Resolved
Affected products: QcalAgent 1.1.x
Summary:
An OS command injection vulnerability has been reported to affect QcalAgent. If exploited, the vulnerability could allow authenticated users to execute commands via a network.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
QcalAgent 1.1.x |
QcalAgent 1.1.8 and later |
Vulnerability in QTS and QuTS hero
Security ID: QSA-23-54
Release date: January 6, 2024
CVE identifier: CVE-2023-39294
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary:
An OS command injection vulnerability has been reported to affect certain Qnap OSs versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.3.2578 build 20231110 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.3.2578 build 20231110 and later |
Multiple Vulnerabilities in Video Station
Security ID: QSA-23-55
Release date: January 6, 2024
CVE identifier: CVE-2023-41287 | CVE-2023-41288
Severity: High
Status: Resolved
Affected products: Video Station 5.7.x
Summary:
Multiple vulnerabilities have been reported to affect Video Station:
-
CVE-2023-41287: If exploited, the SQL injection vulnerability could allow users to inject malicious code via a network.
-
CVE-2023-41288: If exploited, the OS command injection vulnerability could allow users to execute commands via a network.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
Video Station 5.7.x |
Video Station 5.7.2 (2023/11/23) and later |
Vulnerability in QTS and QuTS hero
Security ID: QSA-23-64
Release date: January 6, 2024
CVE identifier: CVE-2023-39296
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x
Summary:
A prototype pollution vulnerability has been reported to affect certain Qnap OSs versions. If exploited, the vulnerability could allow remote users to override existing attributes with ones that have an incompatible type, which may cause the system to crash.
The company have already fixed vulnerability in following version:
|
Affected product |
Fixed version |
|
QTS 5.1.x |
QTS 5.1.3.2578 build 20231110 and later |
|
QuTS hero h5.1.x |
QuTS hero h5.1.3.2578 build 20231110 and later |
Contact: questions regarding this issue
Subscribe to our free daily newsletter
