QNAP has addressed multiple vulnerabilities in several NAS devices include Photo Station, AI Core, QuLog Center, Media Streaming Add-on, QTS and QuTS hero.
The two command injection vulnerabilities in QuRouter 2.4.x, tracked as CVE-2024-48860 with a CVSS Score of 9.5 and CVE-2024-48861 with a CVSS score of 7.3, could allow remote attackers to execute arbitrary commands.
QNAP patched the vulnerabilities in firmware version 2.4.3.106 and later.
Advertisements
QNAP also addresses vulnerabilities in Note Station 3
- CVE-2024-38643 with a CVSS score of 9.3, a missing authentication flaw allows remote attackers to gain unauthorized system access and execute certain functions.
- CVE-2024-38644 with a CVSS score of 8.7, a command injection flaw enables attackers with user access to execute arbitrary commands.
- CVE-2024-38645 with a CVSS score of 9.4, a server-side request forgery flaw lets attackers read sensitive application data.
- CVE-2024-38646 with a CVSS score of 8.4, Incorrect permission assignments grant unauthorized access to critical resources. The vulnerability allows local authenticated attackers with administrator access to read or modify the resource.
