QNAP QTS/QuTS hero Security Bulletin: Multiple Vulnerabilities (CVE-2023-50361 to CVE-2024-21903) including RCE, XSS, and Command Injection

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: QSA-24-20 2. Release Date: April 25, 2024 3. CVE Identifiers: CVE-2023-50361 to CVE-2024-21903 4. Affected Products: QTS 5.1.x and QuTS hero h5.1.x 5. Severity: Medium 6. Status: Resolved 7. Vulnerability Description: - Multiple vulnerabilities affect specific QNAP operating system versions. - CVE-2023-50361 to CVE-2023-51367: Buffer copy vulnerabilities due to unchecked input size, allowing remote attackers to execute arbitrary code. - CVE-2023-50363: Authentication error vulnerability, allowing remote attackers to bypass two-factor authentication. - CVE-2023-50366: Cross-site scripting (XSS) vulnerability, allowing attackers to inject malicious code. - CVE-2023-51366: Path traversal vulnerability, allowing remote attackers to read sensitive data. - CVE-2023-51368: NULL pointer dereference vulnerability, allowing remote attackers to launch denial-of-service (DoS) attacks. - CVE-2024-21897 and CVE-2024-21898: Cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious code. - CVE-2024-21903: Operating system command injection vulnerability, allowing remote attackers to execute malicious commands. 8. Fixed Versions: - QTS 5.1.x: QTS 5.1.6.2722 build 20240402 and later versions. - QuTS hero h5.1.x: QuTS hero h5.1.6.2734 build 20240414 and later versions. 9. Update Recommendations: - Regularly update the system to the latest version to receive vulnerability fixes. - Updates can be downloaded from the QNAP website. 10. Attachments: - CVE-2023-50361.json - CVE-2023-50362.json - CVE-2023-50363.json - CVE-2023-50364.json - CVE-2023-50366.json - CVE-2023-51366.json - CVE-2023-51367.json - CVE-2023-51368.json - CVE-2024-21897.json - CVE-2024-21898.json - CVE-2024-21903.json This information helps users understand the security vulnerabilities in QNAP systems and how to protect their devices by updating the system.

Goal Reached Thanks to every supporter — we hit 100%!

QNAP QTS/QuTS hero Security Bulletin: Multiple Vulnerabilities (CVE-2023-50361 to CVE-2024-21903) including RCE, XSS, and Command Injection