Severity
High
Analysis Summary
CVE-2024-38640 CVSS:7
A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Download Station 5.8.6.283 ( 2024/06/21 ) and later
CVE-2024-38641 CVSS:7.3
QNAP QTS and QuTS hero could allow a local attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2024-38642 CVSS:7.8
An improper certificate validation vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow local network users to compromise the security of the system via unspecified vectors.
Impact
- Gain Access
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-38640
- CVE-2024-38641
- CVE-2024-38642
Affected Vendors
Affected Products
- QNAP Systems Inc. QTS - 5.1.x
- QNAP Systems Inc. QuTS hero - h5.1.x
- QNAP Systems Inc. Download Station - 5.8.x
- QNAP Qumagie 2.3.0
Remediation
Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.