Analysis Summary

CVE-2024-38643 CVSS:9.3

A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions.

CVE-2024-38644 CVSS:8.7

An OS command injection vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to execute commands.

CVE-2024-38645 CVSS:9.4

A server-side request forgery (SSRF) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to read application data.

CVE-2024-38646 CVSS:8.4

An incorrect permission assignment for critical resource vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow local authenticated attackers who have gained administrator access to read or modify the resource.

CVE-2024-50396 CVSS:7.7

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to obtain secret data or modify memory.

CVE-2024-50397 CVSS:7.7

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to obtain secret data or modify memory.

Impact

• Gain Access

Indicators of Compromise

CVE

• CVE-2024-38643
• CVE-2024-38644
• CVE-2024-38645
• CVE-2024-38646
• CVE-2024-50396
• CVE-2024-50397

Affected Vendors

Remediation

Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.

CVE-2024-38643

CVE-2024-38644 

CVE-2024-38645

CVE-2024-38646

CVE-2024-50396

CVE-2024-50397