Skip to main content

Qts CVE-2024-32766

CRITICAL
Command Injection (CWE-77)
2024-04-26 security@qnapsecurity.com.tw
10.0
CVSS 3.1 · Vendor: qnapsecurity
Share

Severity by source

Vendor (qnapsecurity) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (qnapsecurity) · only source for this CVE.

CVSS VectorVendor: qnapsecurity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 26, 2024 - 15:15 cve.org
CRITICAL 10.0

DescriptionCVE.org

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

AnalysisAI

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later Affected products include: Qnap Qts, Qnap Quts Hero, Qnap Qutscloud.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

More in Qts

View all
CVE-2017-6361 CRITICAL POC
9.8 Mar 23

QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors. Rated criti

CVE-2017-6360 CRITICAL POC
9.8 Mar 23

QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information

CVE-2017-13067 CRITICAL POC
9.8 Sep 14

QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.

CVE-2017-6359 CRITICAL POC
9.8 Mar 23

QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands vi

CVE-2017-5227 HIGH POC
7.5 Mar 23

QNAP QTS before 4.2.4 Build 20170313 allows local users to obtain sensitive Domain Administrator password information by

CVE-2017-7876 CRITICAL POC
10.0 Jun 15

This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. R

CVE-2019-7193 CRITICAL POC
9.8 Dec 05

This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. Rated criti

CVE-2023-39296 HIGH POC
7.5 Jan 05

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. Rated high sever

CVE-2017-17028 CRITICAL
9.8 Dec 21

A buffer overflow vulnerability in external device function in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 2

CVE-2017-17033 CRITICAL
9.8 Dec 21

A buffer overflow vulnerability in password function in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 20171117

CVE-2017-17032 CRITICAL
9.8 Dec 21

A buffer overflow vulnerability in password function in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 20171117

CVE-2017-17031 CRITICAL
9.8 Dec 21

A buffer overflow vulnerability in password function in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 20171117

Share

CVE-2024-32766 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy