What are you looking for ?
Advertise with us
Advertise with us

Qnap Fourteen Security Advisories on Resolved Vulnerabilities

Concerning QTS and QuTS hero NAS OS, QuTScloud, Qsync Central, OpenSSH, and Photo Station

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:

 

Vulnerability in QTS and QuTS hero

Security ID: QSA-23-30
Release date: February 3, 2024
CVE identifier: CVE-2023-39297
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
An OS command injection vulnerability has been reported to affect certain Qnap OS versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.4.2596 build 20231128 and later

QuTS hero h5.1.x

QuTS hero h5.1.4.2596 build 20231128 and later

More information

 

Multiple Vulnerabilities in QTS and QuTS hero

Security ID: QSA-23-33
Release date: February 3, 2024
CVE identifier: CVE-2023-39302 | CVE-2023-39303
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
Multiple vulnerabilities have been reported to affect certain Qnap OS versions:

  • CVE-2023-39302: If exploited, the OS command injection vulnerability could allow authenticated administrators to execute commands via a network.

  • CVE-2023-39303: If exploited, the improper authentication vulnerability could allow users to compromise the security of the system via a network.

The company have already fixed vulnerabilities in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.3.2578 build 20231110 and later

QuTS hero h5.1.x

QuTS hero h5.1.3.2578 build 20231110 and later

More information

 

Multiple Vulnerabilities in QTS and QuTS hero

Security ID: QSA-23-38
Release date: February 3, 2024
CVE identifier: CVE-2023-41273 | CVE-2023-41274 | CVE-2023-41275 | CVE-2023-41276 | CVE-2023-41277 | CVE-2023-41278 | CVE-2023-41279 | CVE-2023-41280
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
Multiple vulnerabilities have been reported to affect certain Qnap OS versions:

  • CVE-2023-41273: If exploited, the heap-based buffer overflow vulnerability could allow authenticated administrators to execute code via a network.

  • CVE-2023-41274: If exploited, the NULL pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.

  • CVE-2023-41275, CVE-2023-41276, CVE-2023-41277, CVE-2023-41278, CVE-2023-41279, CVE-2023-41280: If exploited, these buffer copy without checking size of input vulnerabilities could allow authenticated administrators to execute code via a network.

The company have already fixed vulnerabilities in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.2.2533 build 20230926 and later

QuTS hero h5.1.x

QuTS hero h5.1.2.2534 build 20230927 and later

More information

 

Multiple Vulnerabilities in QTS and QuTS hero

Security ID: QSA-23-46
Release date: February 3, 2024
CVE identifier: CVE-2023-41292 | CVE-2023-45035 | CVE-2023-45036 | CVE-2023-45037
Severity: Low
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
Multiple buffer copy without checking size of input vulnerabilities have been reported to affect certain Qnap
OS versions. If exploited, these vulnerabilities could allow authenticated administrators to execute code via a network.

The company have already fixed vulnerabilities in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.4.2596 build 20231128 and later

QuTS hero h5.1.x

QuTS hero h5.1.4.2596 build 20231128 and later

More information

 

Vulnerability in QTS and QuTS hero

Security ID: QSA-23-47
Release date: February 3, 2024
CVE identifier: CVE-2023-45025
Severity: Critical
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
An OS command injection vulnerability has been reported to affect certain Qnap
OS versions. If exploited, the vulnerability could allow users to execute commands via a network when the system is in a certain configuration.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.4.2596 build 20231128 and later

QuTS hero h5.1.x

QuTS hero h5.1.4.2596 build 20231128 and later

More information

 

Multiple Vulnerabilities in QTS and QuTS hero

Security ID: QSA-23-53
Release date: February 3, 2024
CVE identifier: CVE-2023-41281 | CVE-2023-41282 | CVE-2023-41283
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
Multiple OS command injection vulnerabilities have been reported to affect certain Qnap
OS versions. If exploited, these vulnerabilities could allow authenticated administrators to execute commands via a network.

The company have already fixed vulnerabilities in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.4.2596 build 20231128 and later

QuTS hero h5.1.x

QuTS hero h5.1.4.2596 build 20231128 and later

More information

 

Vulnerability in QTS and QuTScloud

Security ID: QSA-24-01
Release date: February 3, 2024
CVE identifier: CVE-2023-32967
Severity: Medium
Status: Resolved
Affected products: QTS 4.5.x, QuTScloud c5.x

Summary
An incorrect authorization vulnerability has been reported to affect certain Qnap
OS versions. If exploited, the vulnerability could allow authenticated users to bypass intended access restrictions via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 4.5.x

QTS 4.5.4.2627 build 20231225 and later

QuTScloud c5.x

QuTScloud c5.1.5.2651 and later

QTS 5.x and QuTS hero are not affected.

More information

 

Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud

Security ID: QSA-24-02
Release date: February 3, 2024
CVE identifier: CVE-2023-45026 | CVE-2023-45027 | CVE-2023-45028
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x

Summary
Multiple vulnerabilities have been reported to affect several Qnap
OS versions:

  • CVE-2023-45026 and CVE-2023-45027: If exploited, the path traversal vulnerabilities could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network.

  • CVE-2023-45028: If exploited, the uncontrolled resource consumption vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.5.2645 build 20240116 and later

QuTS hero h5.1.x

QuTS hero h5.1.5.2647 build 20240118 and later

QuTScloud c5.x

QuTScloud c5.1.5.2651 and later

More information

 

Vulnerability in Qsync Central

Security ID: QSA-24-03
Release date: February 3, 2024
CVE identifier: CVE-2023-47564
Severity: High
Status: Resolved
Affected products: Qsync Central 4.4.x, 4.3.x

Summary
An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow authenticated users to read or modify critical resources via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

Qsync Central 4.4.x

Qsync Central 4.4.0.15 (2024/01/04) and later

Qsync Central 4.3.x

Qsync Central 4.3.0.11 (2024/01/11) and later

More information

 

Vulnerability in QTS, QuTS hero, and QuTScloud

Security ID: QSA-24-04
Release date: February 3, 2024
CVE identifier: CVE-2023-47566
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x, QuTScloud c5.x

Summary
An OS command injection vulnerability has been reported to affect several Qnap
OS versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.5.2645 build 20240116 and later

QuTS hero h5.1.x

QuTS hero h5.1.5.2647 build 20240118 and later

QuTScloud c5.x

QuTScloud c5.1.5.2651 and later

More information

 

Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud

Security ID: QSA-24-05
Release date: February 3, 2024
CVE identifier: CVE-2023-47567 | CVE-2023-47568
Severity: High
Status: Resolved
Affected products: QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x

Summary
Two vulnerabilities have been reported to affect several Qnap
OS versions:

  • CVE-2023-47567: If exploited, the OS command injection vulnerability could allow authenticated administrators to execute commands via a network.

  • CVE-2023-47568: If exploited, the SQL injection vulnerability could allow authenticated users to inject malicious code via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.5.2645 build 20240116 and later

QTS 4.5.x

QTS 4.5.4.2627 build 20231225 and later

QuTS hero h5.1.x

QuTS hero h5.1.5.2647 build 20240118 and later

QuTS hero h4.5.x

QuTS hero h4.5.4.2626 build 20231225 and later

QuTScloud c5.x

QuTScloud c5.1.5.2651 and later

More information

 

Vulnerability in OpenSSH

Security ID: QSA-24-06
Release date: February 3, 2024
CVE identifier: CVE-2023-48795
Severity: Medium
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
A vulnerability in OpenSSH has been reported to affect certain Qnap
OS versions.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.5.2645 build 20240116 and later

QuTS hero h5.1.x

QuTS hero h5.1.5.2647 build 20240118 and later

More information

 

Vulnerability in QTS and QuTS hero

Security ID: QSA-24-07
Release date: February 3, 2024
CVE identifier: CVE-2023-50359
Severity: Low
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
An unchecked return value vulnerability has been reported to affect certain Qnap
OS versions. If exploited, the vulnerability could allow local authenticated administrators to place the system in a state that could lead to a crash or other unintended behaviors via unspecified vectors.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

QTS 5.1.x

QTS 5.1.5.2645 build 20240116 and later

QuTS hero h5.1.x

QuTS hero h5.1.5.2647 build 20240118 and later

More information

 

Multiple Vulnerabilities in Photo Station

Security ID: QSA-24-08
Release date: February 3, 2024
CVE identifier: CVE-2023-47561 | CVE-2023-47562
Severity: Medium
Status: Resolved
Affected products: Photo Station 6.4.x

Summary
Two vulnerabilities have been reported to affect Photo Station:

  • CVE-2023-47561: If exploited, the cross-site scripting (XSS) vulnerability could allow authenticated users to inject malicious code via a network.

  • CVE-2023-47562: If exploited, the OS command injection vulnerability could allow authenticated users to execute commands via a network.

The company have already fixed vulnerability in following versions:

Affected product

Fixed version

Photo Station 6.4.x

Photo Station 6.4.2 (2023/12/15) and later

More information

 

Questions regarding this issue

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E
RAIDON