September 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Lazarus Group Disseminates Malware via Fake Coding Tests to Target Developers
September 12, 2024
Multiple SAP Products Vulnerabilities
September 12, 2024
Lazarus Group Disseminates Malware via Fake Coding Tests to Target Developers
September 12, 2024
Multiple SAP Products Vulnerabilities
September 12, 2024
Severity
Medium
Analysis Summary
CVE-2024-21903 CVSS:6.6
QNAP QTS and QuTS hero could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2024-21906 CVSS:4.7
QNAP QTS and QuTS hero could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2023-34979 CVSS:6.6
QNAO QTS and QuTS hero could allow a remote attacker to execute arbitrary commands on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2023-51368 CVSS:5.4
QNAP QTS and QuTS hero are vulnerable to a denial of service, caused by a NULL pointer dereference vulnerability. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-21904 CVSS:5.9
QNAP QTS and QuTS hero could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted request toread the contents of unexpected files and expose sensitive data.
CVE-2023-51367 CVSS:5.4
QNAO QTS and QuTS hero are vulnerable to a buffer overflow, caused by improper bounds checking. By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2024-32771 CVSS:2.6
QNAP QTS and QuTS hero could allow a remote authenticated attacker to bypass security restrictions, caused by an improper restriction of excessive authentication attempts vulnerability. An attacker could exploit this vulnerability to perform an arbitrary number of authentication attempts via unspecified vectors.
CVE-2023-50366 CVSS:4.3
QNAP QTS and QuTS hero are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Website, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Impact
- Code Execution
- Denial of Service
- Cross-Site Scripting
- Buffer Overflow
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-21903
- CVE-2024-21906
- CVE-2023-34979
- CVE-2023-51368
- CVE-2024-21904
- CVE-2023-51367
- CVE-2024-32771
- CVE-2023-50366
Affected Vendors
QNAP
Affected Products
- QNAP Systems Inc. QTS - 5.1.x
- QNAP Systems Inc. QuTScloud
- QNAP Systems Inc. QuTS hero - h5.1.x
- QNAP Systems Inc. QTS - 4.5.x
- QNAP Systems Inc. QuTS hero - h4.5.x
Remediation
Refer to QNAP Security Advisory for patch, upgrade or suggested workaround information.