File Station 5
Monthly
Authorization bypass in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5243) allows a remote attacker with a valid low-privileged user account to circumvent intended access restrictions and reach files or operations they should not be able to access. The flaw was reported by QNAP itself with a CVSS 4.0 score of 8.6 reflecting high confidentiality and integrity impact, and there is no public exploit identified at time of analysis. Note that the vendor description text references 'File Station 6,' but the CPE, affected version list, and fix data all point to File Station 5, which appears to be a typo in the advisory.
Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attackers to corrupt memory and crash processes on affected NAS deployments. CVSS 4.0 score of 8.7 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Resource exhaustion in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5242) allows a remote attacker holding a low-privilege user account to exhaust shared resources, denying availability to other users, processes, or applications on the same system. The vulnerability is classified as a Denial-of-Service risk with no impact on confidentiality or data integrity. No public exploit code or CISA KEV listing has been identified at time of analysis; QNAP has released a patched version and published a security advisory.
NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a denial-of-service condition. Exploitation requires prior acquisition of a valid user account on the target QNAP NAS device, after which the attacker can trigger the dereference remotely over the network. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5243) allows a remote attacker with a valid low-privileged user account to circumvent intended access restrictions and reach files or operations they should not be able to access. The flaw was reported by QNAP itself with a CVSS 4.0 score of 8.6 reflecting high confidentiality and integrity impact, and there is no public exploit identified at time of analysis. Note that the vendor description text references 'File Station 6,' but the CPE, affected version list, and fix data all point to File Station 5, which appears to be a typo in the advisory.
Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attackers to corrupt memory and crash processes on affected NAS deployments. CVSS 4.0 score of 8.7 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Resource exhaustion in QNAP File Station 5 (versions 5.5.0 through 5.5.6.5242) allows a remote attacker holding a low-privilege user account to exhaust shared resources, denying availability to other users, processes, or applications on the same system. The vulnerability is classified as a Denial-of-Service risk with no impact on confidentiality or data integrity. No public exploit code or CISA KEV listing has been identified at time of analysis; QNAP has released a patched version and published a security advisory.
NULL pointer dereference in QNAP File Station 5 enables authenticated remote attackers to crash the service and cause a denial-of-service condition. Exploitation requires prior acquisition of a valid user account on the target QNAP NAS device, after which the attacker can trigger the dereference remotely over the network. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.