Severity
High
Analysis Summary
CVE-2023-23369 CVSS:9
QNAP QTS, Multimedia Console, and Media Streaming add-on could allow a remote attacker to execute arbitrary commands on the system, caused by an OS command injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2023-23368 CVSS:9.8
QNAP QTS, QuTS hero, and QuTScloud could allow a remote attacker to execute arbitrary commands on the system, caused by an OS command injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
Impact
- Command Execution
Indicators Of Compromise
CVE
- CVE-2023-23369
- CVE-2023-23368
Affected Vendors
QNAP
Affected Products
- QNAP QTS 4.2.6
- QNAP QTS 4.3.3
- QNAP QTS 4.3.4
- QNAP QTS 4.3.6
- QNAP QTS 5.0.1
- QNAP QTS 4.5.0
- QNAP QTS 5.0.0
- QNAP QuTS Hero h5.0.0
- QNAP Multimedia Console 1.4
- QNAP Multimedia Console 2.1
- QNAP Media Streaming add-on 500.1
- QNAP Media Streaming add-on 500.0
- QNAP QuTScloud c5.0
- QNAP QuTS Hero h4.5.0
Remediation
Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.