Severity
High
Analysis Summary
CVE-2024-38643 CVSS:9.3
A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions.
CVE-2024-38644 CVSS:8.7
An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands.
CVE-2024-38645 CVSS:9.4
A server-side request forgery (SSRF) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to read application data.
CVE-2024-38646 CVSS:8.4
An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource.
CVE-2024-50396 CVSS:7.7
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to obtain secret data or modify memory.
CVE-2024-50397 CVSS:7.7
A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data or modify memory.
Impact
- Gain Access
Indicators of Compromise
CVE
- CVE-2024-38643
- CVE-2024-38644
- CVE-2024-38645
- CVE-2024-38646
- CVE-2024-50396
- CVE-2024-50397
Affected Vendors
Affected Products
- Notes Station 3 version 3.9.x
- QTS 5.2.x
- QuTS hero h5.2.x
Remediation
Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.