January 8, 2024 at 09:54AM
QNAP Systems has released patches for a dozen vulnerabilities, including high-severity flaws affecting its operating system and products like QTS, QuTS hero, Video Station, and QuMagie. These vulnerabilities could allow remote attackers to execute arbitrary code, perform SQL injection and OS command injection, and exploit cross-site scripting flaws. Details can be found on QNAP’s security advisories page.
The meeting notes highlighted the announcement by QNAP Systems regarding the patches for vulnerabilities across its product portfolio, including high-severity flaws in its operating system. The high-severity issues include CVE-2023-39296, a prototype pollution flaw that was resolved with the release of QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110. Additionally, CVE-2022-43634, a security defect in Netatalk was also addressed with these releases.
Furthermore, patches were released for high-severity vulnerabilities in Video Station, such as an SQL injection (CVE-2023-41287) and an OS command injection (CVE-2023-41288), which were resolved with Video Station version 5.7.2.
In addition, high-severity, remotely exploitable bugs in QuMagie 2.2.1 were addressed, namely CVE-2023-47559, a cross-site scripting (XSS) flaw, and CVE-2023-47560, an OS command injection defect.
Moreover, patches for multiple other medium- and low-severity vulnerabilities in QTS, QuTS hero, QcalAgent, and QuMagie were also announced.
It is important to note that QNAP Systems mentioned no exploitation of these security holes in the wild, but it is known that threat actors target unpatched QNAP appliances in malicious attacks.