Search criteria
48 vulnerabilities found for QVR by Qnap
CVE-2025-52856 (GCVE-0-2025-52856)
Vulnerability from nvd – Published: 2025-08-29 17:17 – Updated: 2025-08-30 03:55
VLAI?
Summary
An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.
We have already fixed the vulnerability in the following version:
VioStor 5.1.6 build 20250621 and later
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | VioStor |
Affected:
5.1.0 , < 5.1.6 build 20250621
(custom)
|
Credits
360 的安全研究员 侯留洋(houliuyang@360.cn)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-30T03:55:40.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VioStor",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.6 build 20250621",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "360 \u7684\u5b89\u5168\u7814\u7a76\u5458 \u4faf\u7559\u6d0b\uff08houliuyang@360.cn\uff09"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eVioStor 5.1.6 build 20250621 and later\u003cbr\u003e"
}
],
"value": "An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nVioStor 5.1.6 build 20250621 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T17:17:20.562Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-29"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eVioStor 5.1.6 build 20250621 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following version:\nVioStor 5.1.6 build 20250621 and later"
}
],
"source": {
"advisory": "QSA-25-29",
"discovery": "EXTERNAL"
},
"title": "VioStor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-52856",
"datePublished": "2025-08-29T17:17:20.562Z",
"dateReserved": "2025-06-20T05:51:57.033Z",
"dateUpdated": "2025-08-30T03:55:40.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23355 (GCVE-0-2023-23355)
Vulnerability from nvd – Published: 2023-03-29 04:02 – Updated: 2025-02-12 16:49
VLAI?
Summary
An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.
QES is not affected.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2346 build 20230322 and later
QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.1.2348 build 20230324 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later
Severity ?
6.6 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
5.0.* , < 5.0.1.2346 build 20230322
(custom)
Affected: 4.5.* , < 4.5.4.2374 build 20230416 (custom) |
|||||||||||||||||
|
|||||||||||||||||||
Credits
YC of the M1QLin security team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:28:40.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T16:44:53.551036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:49:09.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2346 build 20230322",
"status": "affected",
"version": "5.0.*",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2374 build 20230416",
"status": "affected",
"version": "4.5.*",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2348 build 20230324",
"status": "affected",
"version": "h5.0.*",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2374 build 20230417",
"status": "affected",
"version": "h4.5.*",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.2374",
"status": "affected",
"version": "c5.0.1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QES",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "2.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "YC of the M1QLin security team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.\u003cbr\u003eQES is not affected.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.0.1.2346 build 20230322 and later\u003cbr\u003eQTS 4.5.4.2374 build 20230416 and later\u003cbr\u003eQuTS hero h5.0.1.2348 build 20230324 and later\u003cbr\u003eQuTS hero h4.5.4.2374 build 20230417 and later\u003cbr\u003eQuTScloud c5.0.1.2374 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.\nQES is not affected.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQTS 4.5.4.2374 build 20230416 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-30T03:48:47.402Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-10"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.0.1.2346 build 20230322 and later\u003cbr\u003eQTS 4.5.4.2374 build 20230416 and later\u003cbr\u003eQuTS hero h5.0.1.2348 build 20230324 and later\u003cbr\u003eQuTS hero h4.5.4.2374 build 20230417 and later\u003cbr\u003eQuTScloud c5.0.1.2374 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQTS 4.5.4.2374 build 20230416 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later\n"
}
],
"source": {
"advisory": "QSA-23-10",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances), QVR",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-23355",
"datePublished": "2023-03-29T04:02:59.944Z",
"dateReserved": "2023-01-11T20:15:53.084Z",
"dateUpdated": "2025-02-12T16:49:09.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27597 (GCVE-0-2022-27597)
Vulnerability from nvd – Published: 2023-03-29 00:00 – Updated: 2025-02-12 19:32
VLAI?
Summary
A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 5.0.1.2346 build 20230322
(custom)
|
|||||||
|
|||||||||
Credits
Sternum LIV and Sternum team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:32:58.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-06"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T19:32:36.172672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:32:39.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2346 build 20230322",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2348 build 20230324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sternum LIV and Sternum team"
}
],
"datePublic": "2023-03-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-489",
"description": "CWE-489",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T00:00:00.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-06"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\n"
}
],
"source": {
"advisory": "QSA-23-06",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27597",
"datePublished": "2023-03-29T00:00:00.000Z",
"dateReserved": "2022-03-21T00:00:00.000Z",
"dateUpdated": "2025-02-12T19:32:39.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27588 (GCVE-0-2022-27588)
Vulnerability from nvd – Published: 2022-05-05 16:50 – Updated: 2024-09-16 20:21
VLAI?
Summary
We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | QVR |
Affected:
unspecified , < 5.1.6 build 20220401
(custom)
|
Credits
JPCERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:33:00.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QVR",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.6 build 20220401",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JPCERT/CC"
}
],
"datePublic": "2022-05-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:30",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR 5.1.6 build 20220401 and later"
}
],
"source": {
"advisory": "QSA-22-07",
"discovery": "EXTERNAL"
},
"title": "Vulnerability in QVR",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2022-27588",
"STATE": "PUBLIC",
"TITLE": "Vulnerability in QVR"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QVR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.1.6 build 20220401"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JPCERT/CC"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-07",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR 5.1.6 build 20220401 and later"
}
],
"source": {
"advisory": "QSA-22-07",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27588",
"datePublished": "2022-05-05T16:50:30.497028Z",
"dateReserved": "2022-03-21T00:00:00",
"dateUpdated": "2024-09-16T20:21:49.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38686 (GCVE-0-2021-38686)
Vulnerability from nvd – Published: 2021-11-26 14:00 – Updated: 2024-09-16 20:16
VLAI?
Summary
An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later
Severity ?
8.8 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | QVR |
Affected:
unspecified , < QVR FW 5.1.6 build 20211109
(custom)
|
Credits
JPCERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:19.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QVR",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "QVR FW 5.1.6 build 20211109",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JPCERT/CC"
}
],
"datePublic": "2021-11-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-26T14:00:14",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later"
}
],
"source": {
"advisory": "QSA-21-52",
"discovery": "EXTERNAL"
},
"title": "Improper Authentication Vulnerability in VioStor",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-11-26T09:47:00.000Z",
"ID": "CVE-2021-38686",
"STATE": "PUBLIC",
"TITLE": "Improper Authentication Vulnerability in VioStor"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QVR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "QVR FW 5.1.6 build 20211109"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JPCERT/CC"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-52",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later"
}
],
"source": {
"advisory": "QSA-21-52",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-38686",
"datePublished": "2021-11-26T14:00:14.527222Z",
"dateReserved": "2021-08-13T00:00:00",
"dateUpdated": "2024-09-16T20:16:15.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-52856
Vulnerability from fkie_nvd - Published: 2025-08-29 18:15 - Updated: 2025-12-10 21:58
Severity ?
Summary
An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.
We have already fixed the vulnerability in the following version:
VioStor 5.1.6 build 20250621 and later
References
| URL | Tags | ||
|---|---|---|---|
| security@qnapsecurity.com.tw | https://www.qnap.com/en/security-advisory/qsa-25-29 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:qvr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D1E0B07-5DBB-447F-947B-E52CCF88FB65",
"versionEndExcluding": "5.1.6",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:qnap:qvr:5.1.6:-:*:*:*:*:*:*",
"matchCriteriaId": "3046A6EC-3988-4E5D-A3E1-DD3C8D7CF14E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nVioStor 5.1.6 build 20250621 and later"
}
],
"id": "CVE-2025-52856",
"lastModified": "2025-12-10T21:58:30.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
}
]
},
"published": "2025-08-29T18:15:42.557",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-25-29"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-27597
Vulnerability from fkie_nvd - Published: 2023-03-29 07:15 - Updated: 2024-11-21 06:56
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qnap | qvr | - | |
| qnap | qts | * | |
| qnap | quts_hero | * | |
| qnap | qutscloud | - | |
| qnap | qvp-41b_firmware | - | |
| qnap | qvp-41b | - | |
| qnap | qvp-63b_firmware | - | |
| qnap | qvp-63b | - | |
| qnap | qvp-85b_firmware | - | |
| qnap | qvp-85b | - | |
| qnap | qvp-21a_firmware | - | |
| qnap | qvp-21a | - | |
| qnap | qvp-41a_firmware | - | |
| qnap | qvp-41a | - | |
| qnap | qvp-63a_firmware | - | |
| qnap | qvp-63a | - | |
| qnap | qvp-85a_firmware | - | |
| qnap | qvp-85a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:qvr:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42F03B20-3D1D-44D9-8F23-9E9989115F0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9499D1F9-E357-4EAB-8588-7D5F58323C9A",
"versionEndExcluding": "5.0.1.2346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67BA4C2A-0193-494E-8FAE-CCD2E552741D",
"versionEndExcluding": "h5.0.1.2348",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E5A9F466-2EAD-4D49-9B52-65EE161A120B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-41b_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4D6ADC0D-E55E-481F-91AD-2A8206A03727",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-41b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1D764104-5E62-48E3-B6D1-18F65C1FFF39",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-63b_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5AC0360C-919F-4AB8-B6BB-DE461817185A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-63b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C84CB0F-23E8-453F-A485-8D5B9A4B9D01",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-85b_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9E0F038B-7D58-4BDF-A697-4B3D06EB8605",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-85b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DFD9423A-DC97-44DE-92E8-917F2CF84918",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-21a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D78E0EC9-5FE3-4C5C-913E-255A310D5DC9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-21a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FD2CA465-3F63-4955-A275-D6B49BCED673",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-41a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "27D87757-F3CB-4A02-8D99-2851220B1962",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-41a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "790DC93C-E866-47B6-8324-B7324B83F48F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-63a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "98D4CB3C-13B8-412D-B3A0-6CB561F27E61",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-63a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E5E59A7B-E96E-44B9-ABF5-886CC2C7EDB1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-85a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7E56A1-E75B-4172-AF3C-42F504189853",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-85a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4511E417-E9FE-4DC0-88DF-5BF9BCD67154",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later"
}
],
"id": "CVE-2022-27597",
"lastModified": "2024-11-21T06:56:00.510",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-29T07:15:08.403",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-06"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
},
{
"lang": "en",
"value": "CWE-489"
},
{
"lang": "en",
"value": "CWE-1295"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-23355
Vulnerability from fkie_nvd - Published: 2023-03-29 05:15 - Updated: 2024-11-21 07:46
Severity ?
6.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.
QES is not affected.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2346 build 20230322 and later
QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.1.2348 build 20230324 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qnap | qvr | - | |
| qnap | qts | * | |
| qnap | quts_hero | * | |
| qnap | qutscloud | - | |
| qnap | qvp-41b_firmware | - | |
| qnap | qvp-41b | - | |
| qnap | qvp-63b_firmware | - | |
| qnap | qvp-63b | - | |
| qnap | qvp-85b_firmware | - | |
| qnap | qvp-85b | - | |
| qnap | qvp-21a_firmware | - | |
| qnap | qvp-21a | - | |
| qnap | qvp-41a_firmware | - | |
| qnap | qvp-41a | - | |
| qnap | qvp-63a_firmware | - | |
| qnap | qvp-63a | - | |
| qnap | qvp-85a_firmware | - | |
| qnap | qvp-85a | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:qvr:-:*:*:*:*:*:*:*",
"matchCriteriaId": "42F03B20-3D1D-44D9-8F23-9E9989115F0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9499D1F9-E357-4EAB-8588-7D5F58323C9A",
"versionEndExcluding": "5.0.1.2346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67BA4C2A-0193-494E-8FAE-CCD2E552741D",
"versionEndExcluding": "h5.0.1.2348",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:qnap:qutscloud:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E5A9F466-2EAD-4D49-9B52-65EE161A120B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-41b_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4D6ADC0D-E55E-481F-91AD-2A8206A03727",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-41b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1D764104-5E62-48E3-B6D1-18F65C1FFF39",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-63b_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5AC0360C-919F-4AB8-B6BB-DE461817185A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-63b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C84CB0F-23E8-453F-A485-8D5B9A4B9D01",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-85b_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9E0F038B-7D58-4BDF-A697-4B3D06EB8605",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-85b:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DFD9423A-DC97-44DE-92E8-917F2CF84918",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-21a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D78E0EC9-5FE3-4C5C-913E-255A310D5DC9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-21a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FD2CA465-3F63-4955-A275-D6B49BCED673",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-41a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "27D87757-F3CB-4A02-8D99-2851220B1962",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-41a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "790DC93C-E866-47B6-8324-B7324B83F48F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-63a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "98D4CB3C-13B8-412D-B3A0-6CB561F27E61",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-63a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E5E59A7B-E96E-44B9-ABF5-886CC2C7EDB1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:qnap:qvp-85a_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7E56A1-E75B-4172-AF3C-42F504189853",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:qnap:qvp-85a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4511E417-E9FE-4DC0-88DF-5BF9BCD67154",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.\nQES is not affected.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQTS 4.5.4.2374 build 20230416 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later\n"
}
],
"id": "CVE-2023-23355",
"lastModified": "2024-11-21T07:46:01.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-29T05:15:07.563",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-10"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
},
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-27588
Vulnerability from fkie_nvd - Published: 2022-05-05 17:15 - Updated: 2024-11-21 06:55
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:qvr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BC129D1-7F4E-4FE9-85DC-FDD0BEB235FA",
"versionEndIncluding": "5.1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later"
},
{
"lang": "es",
"value": "Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QVR: QVR 5.1.6 build 20220401 y posteriores"
}
],
"id": "CVE-2022-27588",
"lastModified": "2024-11-21T06:55:59.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-05T17:15:12.847",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-38686
Vulnerability from fkie_nvd - Published: 2021-11-26 14:15 - Updated: 2024-11-21 06:17
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:qvr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F8E79A7-1246-41DA-A756-000102510328",
"versionEndExcluding": "5.1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later"
},
{
"lang": "es",
"value": "Se ha informado de una vulnerabilidad de autenticaci\u00f3n inapropiada que afecta al dispositivo de QNAP, VioStor. Si es explotada, esta vulnerabilidad permite a atacantes comprometer la seguridad del sistema. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QVR: QVR FW 5.1.6 build 20211109 y posteriores"
}
],
"id": "CVE-2021-38686",
"lastModified": "2024-11-21T06:17:53.847",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-26T14:15:07.780",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-38685
Vulnerability from fkie_nvd - Published: 2021-11-26 14:15 - Updated: 2024-11-21 06:17
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:qvr:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F8E79A7-1246-41DA-A756-000102510328",
"versionEndExcluding": "5.1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later"
},
{
"lang": "es",
"value": "Se ha informado de una vulnerabilidad de inyecci\u00f3n de comandos que afecta al dispositivo de QNAP, VioStor. Si es explotada, esta vulnerabilidad permite a atacantes remotos ejecutar comandos arbitrarios. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QVR: QVR FW 5.1.6 build 20211109 y posteriores"
}
],
"id": "CVE-2021-38685",
"lastModified": "2024-11-21T06:17:53.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-26T14:15:07.713",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-51"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-51"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
}
]
}
CVE-2025-52856 (GCVE-0-2025-52856)
Vulnerability from cvelistv5 – Published: 2025-08-29 17:17 – Updated: 2025-08-30 03:55
VLAI?
Summary
An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.
We have already fixed the vulnerability in the following version:
VioStor 5.1.6 build 20250621 and later
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | VioStor |
Affected:
5.1.0 , < 5.1.6 build 20250621
(custom)
|
Credits
360 的安全研究员 侯留洋(houliuyang@360.cn)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-30T03:55:40.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VioStor",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.6 build 20250621",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "360 \u7684\u5b89\u5168\u7814\u7a76\u5458 \u4faf\u7559\u6d0b\uff08houliuyang@360.cn\uff09"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eVioStor 5.1.6 build 20250621 and later\u003cbr\u003e"
}
],
"value": "An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nVioStor 5.1.6 build 20250621 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T17:17:20.562Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-29"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eVioStor 5.1.6 build 20250621 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following version:\nVioStor 5.1.6 build 20250621 and later"
}
],
"source": {
"advisory": "QSA-25-29",
"discovery": "EXTERNAL"
},
"title": "VioStor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-52856",
"datePublished": "2025-08-29T17:17:20.562Z",
"dateReserved": "2025-06-20T05:51:57.033Z",
"dateUpdated": "2025-08-30T03:55:40.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23355 (GCVE-0-2023-23355)
Vulnerability from cvelistv5 – Published: 2023-03-29 04:02 – Updated: 2025-02-12 16:49
VLAI?
Summary
An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.
QES is not affected.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2346 build 20230322 and later
QTS 4.5.4.2374 build 20230416 and later
QuTS hero h5.0.1.2348 build 20230324 and later
QuTS hero h4.5.4.2374 build 20230417 and later
QuTScloud c5.0.1.2374 and later
Severity ?
6.6 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
5.0.* , < 5.0.1.2346 build 20230322
(custom)
Affected: 4.5.* , < 4.5.4.2374 build 20230416 (custom) |
|||||||||||||||||
|
|||||||||||||||||||
Credits
YC of the M1QLin security team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:28:40.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T16:44:53.551036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:49:09.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2346 build 20230322",
"status": "affected",
"version": "5.0.*",
"versionType": "custom"
},
{
"lessThan": "4.5.4.2374 build 20230416",
"status": "affected",
"version": "4.5.*",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2348 build 20230324",
"status": "affected",
"version": "h5.0.*",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.2374 build 20230417",
"status": "affected",
"version": "h4.5.*",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.2374",
"status": "affected",
"version": "c5.0.1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QES",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "2.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "YC of the M1QLin security team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.\u003cbr\u003eQES is not affected.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.0.1.2346 build 20230322 and later\u003cbr\u003eQTS 4.5.4.2374 build 20230416 and later\u003cbr\u003eQuTS hero h5.0.1.2348 build 20230324 and later\u003cbr\u003eQuTS hero h4.5.4.2374 build 20230417 and later\u003cbr\u003eQuTScloud c5.0.1.2374 and later\u003cbr\u003e"
}
],
"value": "An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors.\nQES is not affected.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQTS 4.5.4.2374 build 20230416 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-30T03:48:47.402Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-10"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQTS 5.0.1.2346 build 20230322 and later\u003cbr\u003eQTS 4.5.4.2374 build 20230416 and later\u003cbr\u003eQuTS hero h5.0.1.2348 build 20230324 and later\u003cbr\u003eQuTS hero h4.5.4.2374 build 20230417 and later\u003cbr\u003eQuTScloud c5.0.1.2374 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQTS 4.5.4.2374 build 20230416 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\nQuTS hero h4.5.4.2374 build 20230417 and later\nQuTScloud c5.0.1.2374 and later\n"
}
],
"source": {
"advisory": "QSA-23-10",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances), QVR",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2023-23355",
"datePublished": "2023-03-29T04:02:59.944Z",
"dateReserved": "2023-01-11T20:15:53.084Z",
"dateUpdated": "2025-02-12T16:49:09.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27597 (GCVE-0-2022-27597)
Vulnerability from cvelistv5 – Published: 2023-03-29 00:00 – Updated: 2025-02-12 19:32
VLAI?
Summary
A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 5.0.1.2346 build 20230322
(custom)
|
|||||||
|
|||||||||
Credits
Sternum LIV and Sternum team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:32:58.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-06"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T19:32:36.172672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:32:39.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2346 build 20230322",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2348 build 20230324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Sternum LIV and Sternum team"
}
],
"datePublic": "2023-03-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1295",
"description": "CWE-1295",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-489",
"description": "CWE-489",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T00:00:00.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-06"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed the vulnerability in the following versions:\nQTS 5.0.1.2346 build 20230322 and later\nQuTS hero h5.0.1.2348 build 20230324 and later\n"
}
],
"source": {
"advisory": "QSA-23-06",
"discovery": "EXTERNAL"
},
"title": "QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27597",
"datePublished": "2023-03-29T00:00:00.000Z",
"dateReserved": "2022-03-21T00:00:00.000Z",
"dateUpdated": "2025-02-12T19:32:39.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27588 (GCVE-0-2022-27588)
Vulnerability from cvelistv5 – Published: 2022-05-05 16:50 – Updated: 2024-09-16 20:21
VLAI?
Summary
We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | QVR |
Affected:
unspecified , < 5.1.6 build 20220401
(custom)
|
Credits
JPCERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:33:00.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QVR",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.1.6 build 20220401",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JPCERT/CC"
}
],
"datePublic": "2022-05-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:30",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR 5.1.6 build 20220401 and later"
}
],
"source": {
"advisory": "QSA-22-07",
"discovery": "EXTERNAL"
},
"title": "Vulnerability in QVR",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2022-27588",
"STATE": "PUBLIC",
"TITLE": "Vulnerability in QVR"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QVR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.1.6 build 20220401"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JPCERT/CC"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.6 build 20220401 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-07",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-07"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR 5.1.6 build 20220401 and later"
}
],
"source": {
"advisory": "QSA-22-07",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27588",
"datePublished": "2022-05-05T16:50:30.497028Z",
"dateReserved": "2022-03-21T00:00:00",
"dateUpdated": "2024-09-16T20:21:49.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38686 (GCVE-0-2021-38686)
Vulnerability from cvelistv5 – Published: 2021-11-26 14:00 – Updated: 2024-09-16 20:16
VLAI?
Summary
An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later
Severity ?
8.8 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | QVR |
Affected:
unspecified , < QVR FW 5.1.6 build 20211109
(custom)
|
Credits
JPCERT/CC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:19.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QVR",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "QVR FW 5.1.6 build 20211109",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "JPCERT/CC"
}
],
"datePublic": "2021-11-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-26T14:00:14",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later"
}
],
"source": {
"advisory": "QSA-21-52",
"discovery": "EXTERNAL"
},
"title": "Improper Authentication Vulnerability in VioStor",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-11-26T09:47:00.000Z",
"ID": "CVE-2021-38686",
"STATE": "PUBLIC",
"TITLE": "Improper Authentication Vulnerability in VioStor"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QVR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "QVR FW 5.1.6 build 20211109"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "JPCERT/CC"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper authentication vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-52",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-52"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QVR:\nQVR FW 5.1.6 build 20211109 and later"
}
],
"source": {
"advisory": "QSA-21-52",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-38686",
"datePublished": "2021-11-26T14:00:14.527222Z",
"dateReserved": "2021-08-13T00:00:00",
"dateUpdated": "2024-09-16T20:16:15.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CERTFR-2024-AVI-0752
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2790 build 20240606 | ||
| Qnap | QTS | QTS versions 4.3.4 antérieures à 4.3.4.2814 build 20240618 | ||
| Qnap | Download Station | Download Station versions 5.8.x antérieures à 5.8.6.283 | ||
| Qnap | QTS | QTS versions 4.3.3 antérieures à 4.3.3.2784 build 20240619 | ||
| Qnap | QuMagie | QuMagie versions 2.3.x antérieures à 2.3.1 | ||
| Qnap | QTS | QTS versions 4.2.6 antérieures à 4.2.6 build 20240618 | ||
| Qnap | QTS | QTS versions 4.3.6 antérieures à 4.3.6.2805 build 20240619 | ||
| Qnap | Helpdesk | Helpdesk versions 3.3.x antérieures à 3.3.1 | ||
| Qnap | Notes Station | Notes Station 3 versions 3.9.x antérieures à 3.9.6 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.2.0.2782 build 20240601 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2626 build 20231225 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.2.0.2782 build 20240601 | ||
| Qnap | Music Station | Music Station versions 5.4.x antérieures à 5.4.0 | ||
| Qnap | Video Station | Video Station versions 5.8.x antérieures à 5.8.2 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2790 build 20240605 | ||
| Qnap | QuLog Center | QuLog Center versions 1.7.x.x antérieures à 1.7.0.827 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x.x antérieures à 1.8.0.872 | ||
| Qnap | QVR | QVR Smart Client versions 2.4.x.x antérieures à 2.4.0.0570 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2790 build 20240606",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.4 ant\u00e9rieures \u00e0 4.3.4.2814 build 20240618",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Download Station versions 5.8.x ant\u00e9rieures \u00e0 5.8.6.283",
"product": {
"name": "Download Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.3 ant\u00e9rieures \u00e0 4.3.3.2784 build 20240619",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuMagie versions 2.3.x ant\u00e9rieures \u00e0 2.3.1",
"product": {
"name": "QuMagie",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.2.6 ant\u00e9rieures \u00e0 4.2.6 build 20240618",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.6 ant\u00e9rieures \u00e0 4.3.6.2805 build 20240619",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Helpdesk versions 3.3.x ant\u00e9rieures \u00e0 3.3.1",
"product": {
"name": "Helpdesk",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notes Station 3 versions 3.9.x ant\u00e9rieures \u00e0 3.9.6",
"product": {
"name": "Notes Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.2.0.2782 build 20240601",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2626 build 20231225",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.2.0.2782 build 20240601",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Music Station versions 5.4.x ant\u00e9rieures \u00e0 5.4.0",
"product": {
"name": "Music Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Video Station versions 5.8.x ant\u00e9rieures \u00e0 5.8.2",
"product": {
"name": "Video Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2790 build 20240605",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.7.x.x ant\u00e9rieures \u00e0 1.7.0.827",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x.x ant\u00e9rieures \u00e0 1.8.0.872",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Smart Client versions 2.4.x.x ant\u00e9rieures \u00e0 2.4.0.0570",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-27592",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27592"
},
{
"name": "CVE-2023-50360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50360"
},
{
"name": "CVE-2024-32762",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32762"
},
{
"name": "CVE-2024-21906",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21906"
},
{
"name": "CVE-2024-38640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38640"
},
{
"name": "CVE-2024-53691",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53691"
},
{
"name": "CVE-2023-34974",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34974"
},
{
"name": "CVE-2024-27125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27125"
},
{
"name": "CVE-2024-32763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32763"
},
{
"name": "CVE-2024-27126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27126"
},
{
"name": "CVE-2023-47563",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47563"
},
{
"name": "CVE-2024-38641",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38641"
},
{
"name": "CVE-2024-38642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38642"
},
{
"name": "CVE-2023-34979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34979"
},
{
"name": "CVE-2023-39298",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39298"
},
{
"name": "CVE-2023-39300",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39300"
},
{
"name": "CVE-2023-45038",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45038"
},
{
"name": "CVE-2024-32771",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32771"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
},
{
"name": "CVE-2024-27122",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27122"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0752",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-09-09T00:00:00.000000"
},
{
"description": "Ajout de l\u0027identifiant CVE-2024-53691.",
"revision_date": "2025-01-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-24",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-24"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-26",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-26"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-34",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-34"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-30",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-30"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-21",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-21"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-27",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-27"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-29",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-29"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-28",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-28"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-32",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-32"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-25",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-25"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-33",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-33"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-22",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-22"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-35",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-35"
}
]
}
CERTFR-2023-AVI-1011
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QuTS hero | Qnap QuTS hero h5.0.x versions antérieures à h5.0.1.2515 build 20230907 | ||
| Qnap | QTS | Qnap QTS 5.0.x versions antérieures à 5.0.1.2514 build 20230906 | ||
| Qnap | QTS | Qnap QTS 4.5.x versions antérieures à 4.5.4.2467 build 20230718 | ||
| Qnap | QTS | Qnap QTS 5.1.x versions antérieures à 5.1.3.2578 build 20231110 | ||
| Qnap | QVR | Qnap QVR Firmware 4.x versions antérieures à 5.x | ||
| Qnap | QuTS hero | Qnap QuTS hero h5.1.x versions antérieures à h5.1.3.2578 build 20231110 | ||
| Qnap | QuTS hero | Qnap QuTS hero h4.5.x versions antérieures à h4.5.4.2476 build 20230728 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Qnap QuTS hero h5.0.x versions ant\u00e9rieures \u00e0 h5.0.1.2515 build 20230907",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS 5.0.x versions ant\u00e9rieures \u00e0 5.0.1.2514 build 20230906",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS 4.5.x versions ant\u00e9rieures \u00e0 4.5.4.2467 build 20230718",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS 5.1.x versions ant\u00e9rieures \u00e0 5.1.3.2578 build 20231110",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QVR Firmware 4.x versions ant\u00e9rieures \u00e0 5.x",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QuTS hero h5.1.x versions ant\u00e9rieures \u00e0 h5.1.3.2578 build 20231110",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QuTS hero h4.5.x versions ant\u00e9rieures \u00e0 h4.5.4.2476 build 20230728",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-4091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4091"
},
{
"name": "CVE-2023-42669",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42669"
},
{
"name": "CVE-2023-42670",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42670"
},
{
"name": "CVE-2023-4154",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4154"
},
{
"name": "CVE-2023-23372",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23372"
},
{
"name": "CVE-2023-3961",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3961"
},
{
"name": "CVE-2023-32975",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32975"
},
{
"name": "CVE-2023-32968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32968"
},
{
"name": "CVE-2023-47565",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47565"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-1011",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-12-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Qnap\u003c/span\u003e. Elles permettent \u00e0 un attaquant\nde provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une\nex\u00e9cution de code arbitraire et une injection de code indirecte \u00e0\ndistance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-07 du 09 d\u00e9cembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-07"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-40 du 09 d\u00e9cembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-40"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-48 du 09 d\u00e9cembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-48"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-20 du 09 d\u00e9cembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-20"
}
]
}
CERTFR-2023-AVI-0721
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS), une atteinte à la confidentialité des données et une exécution de code arbitraire.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QuLog Center | QuLog Center pour QuTscloud c5.0.1 versions 1.4.x antérieures à 1.4.1.691 | ||
| Qnap | N/A | QuFirewall versions 2.3.x antérieures à 2.3.3 | ||
| Qnap | N/A | QuLog Center pour QTS 4.5.4 versions 1.3.x antérieures à 1.3.1.645 | ||
| Qnap | QVR | QVR Pro Client versions 2.3.x antérieures à 2.3.0.0420 | ||
| Qnap | N/A | QuLog Center pour QTS 5.0.1 versions 1.5.x antérieures à 1.5.0.738 | ||
| Qnap | N/A | QuLog Center pour QuTS hero h4.5.4 versions 1.3.x antérieures à 1.3.1.645 | ||
| Qnap | N/A | QuLog Center pour QuTS hero h5.0.1 versions 1.5.x antérieures à 1.5.0.738 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuLog Center pour QuTscloud c5.0.1 versions 1.4.x ant\u00e9rieures \u00e0 1.4.1.691",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuFirewall versions 2.3.x ant\u00e9rieures \u00e0 2.3.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center pour QTS 4.5.4 versions 1.3.x ant\u00e9rieures \u00e0 1.3.1.645",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Pro Client versions 2.3.x ant\u00e9rieures \u00e0 2.3.0.0420",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center pour QTS 5.0.1 versions 1.5.x ant\u00e9rieures \u00e0 1.5.0.738",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center pour QuTS hero h4.5.4 versions 1.3.x ant\u00e9rieures \u00e0 1.3.1.645",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center pour QuTS hero h5.0.1 versions 1.5.x ant\u00e9rieures \u00e0 1.5.0.738",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-23356",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23356"
},
{
"name": "CVE-2023-23354",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23354"
},
{
"name": "CVE-2023-23357",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23357"
},
{
"name": "CVE-2022-27599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27599"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0721",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-09-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Qnap\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0\ndistance (XSS), une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une\nex\u00e9cution de code arbitraire.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-13 du 08 septembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-13"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-08 du 08 septembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-08"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-14 du 08 septembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-14"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-16 du 08 septembre 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-16"
}
]
}
CERTFR-2023-AVI-0602
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Elles permettent à un attaquant de provoquer un déni de service à distance et une exécution de code arbitraire.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QVR | QVR Pro Appliance versions antérieures à 2.3.1.0476 | ||
| Qnap | QTS | QTS versions antérieures à 4.5.4.2280 build 20230112 | ||
| Qnap | QuTS hero | QuTS hero versions antérieures à h4.5.4.2374 build 20230417 | ||
| Qnap | N/A | QVPN Device Client pour Windows versions antérieures à 2.0.0.1316 | ||
| Qnap | N/A | QuTScloud versions antérieures à c5.0.1.2374 build 20230419 | ||
| Qnap | QTS | QTS versions antérieures à 5.0.1.2277 build 20230112 | ||
| Qnap | QuTS hero | QuTS hero versions antérieures à h5.0.1.2277 build 20230112 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QVR Pro Appliance versions ant\u00e9rieures \u00e0 2.3.1.0476",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions ant\u00e9rieures \u00e0 4.5.4.2280 build 20230112",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions ant\u00e9rieures \u00e0 h4.5.4.2374 build 20230417",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVPN Device Client pour Windows versions ant\u00e9rieures \u00e0 2.0.0.1316",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTScloud versions ant\u00e9rieures \u00e0 c5.0.1.2374 build 20230419",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions ant\u00e9rieures \u00e0 5.0.1.2277 build 20230112",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions ant\u00e9rieures \u00e0 h5.0.1.2277 build 20230112",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-27600",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27600"
},
{
"name": "CVE-2022-27595",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27595"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0602",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-07-28T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits Qnap\u003c/span\u003e. Elles permettent \u00e0 un attaquant\nde provoquer un d\u00e9ni de service \u00e0 distance et une ex\u00e9cution de code\narbitraire.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-04 du 28 juillet 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-04"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-23-09 du 28 juillet 2023",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-23-09"
}
]
}
CERTFR-2022-AVI-421
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | N/A | Qnap Photo Station versions antérieures à 6.0.20 (2022/02/15) | ||
| Qnap | N/A | Qnap Photo Station versions antérieures à 5.4.13 (2022/02/11) | ||
| Qnap | N/A | Qnap Photo Station versions antérieures à 5.7.16 (2022/02/11) | ||
| Qnap | Video Station | Qnap Video Station versions antérieures à 5.3.13 | ||
| Qnap | QTS | Qnap QTS versions antérieures à 4.5.4.1991 build 20220329 | ||
| Qnap | QTS | Qnap QTS versions antérieures à 4.3.4.1976 build 20220303 | ||
| Qnap | N/A | Qnap QuTScloud versions antérieures à c5.0.1.1998 | ||
| Qnap | QTS | Qnap QTS versions antérieures à 4.2.6 build 20220304 | ||
| Qnap | QTS | Qnap QTS versions antérieures à 4.3.3.1945 build 20220303 | ||
| Qnap | QTS | Qnap QTS versions antérieures à 5.0.0.1986 build 20220324 | ||
| Qnap | Video Station | Qnap Video Station versions antérieures à 5.5.9 | ||
| Qnap | QTS | Qnap QTS versions antérieures à 4.3.6.1965 build 20220302 | ||
| Qnap | QVR | Qnap QVR versions antérieures à 5.1.6 build 20220401 | ||
| Qnap | Video Station | Qnap Video Station versions antérieures à 5.1.8 | ||
| Qnap | QuTS hero | Qnap QuTS hero versions antérieures à h5.0.0.1986 build 20220324 | ||
| Qnap | QuTS hero | Qnap QuTS hero versions antérieures à h4.5.4.1971 build 20220310 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Qnap Photo Station versions ant\u00e9rieures \u00e0 6.0.20 (2022/02/15)",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap Photo Station versions ant\u00e9rieures \u00e0 5.4.13 (2022/02/11)",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap Photo Station versions ant\u00e9rieures \u00e0 5.7.16 (2022/02/11)",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap Video Station versions ant\u00e9rieures \u00e0 5.3.13",
"product": {
"name": "Video Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS versions ant\u00e9rieures \u00e0 4.5.4.1991 build 20220329",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS versions ant\u00e9rieures \u00e0 4.3.4.1976 build 20220303",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QuTScloud versions ant\u00e9rieures \u00e0 c5.0.1.1998",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS versions ant\u00e9rieures \u00e0 4.2.6 build 20220304",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS versions ant\u00e9rieures \u00e0 4.3.3.1945 build 20220303",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS versions ant\u00e9rieures \u00e0 5.0.0.1986 build 20220324",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap Video Station versions ant\u00e9rieures \u00e0 5.5.9",
"product": {
"name": "Video Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QTS versions ant\u00e9rieures \u00e0 4.3.6.1965 build 20220302",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QVR versions ant\u00e9rieures \u00e0 5.1.6 build 20220401",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap Video Station versions ant\u00e9rieures \u00e0 5.1.8",
"product": {
"name": "Video Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QuTS hero versions ant\u00e9rieures \u00e0 h5.0.0.1986 build 20220324",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qnap QuTS hero versions ant\u00e9rieures \u00e0 h4.5.4.1971 build 20220310",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-44056",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44056"
},
{
"name": "CVE-2022-44057",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44057"
},
{
"name": "CVE-2022-44053",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44053"
},
{
"name": "CVE-2022-44052",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44052"
},
{
"name": "CVE-2022-44054",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44054"
},
{
"name": "CVE-2022-27588",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27588"
},
{
"name": "CVE-2022-44055",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44055"
},
{
"name": "CVE-2022-38693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38693"
},
{
"name": "CVE-2022-44051",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-44051"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-421",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-05-06T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un\nprobl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une ex\u00e9cution de code\narbitraire \u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-22-13 du 6 mai 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-22-13"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-22-14 du 6 mai 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-22-14"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-22-07 du 6 mai 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-22-07"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-22-15 du 6 mai 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-22-15"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-22-16 du 6 mai 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-22-16"
}
]
}
CERTFR-2022-AVI-033
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits QNAP. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QTS | QTS 4.5.x versions antérieures à 4.5.4.1892 build 20211223 | ||
| Qnap | N/A | QcalAgent versions antérieures à 1.1.7 | ||
| Qnap | QVR | QVR Pro versions antérieures à 2.1.3.0 du 06/12/2021 | ||
| Qnap | QTS | QTS 5.0.x versions antérieures à 5.0.0.1891 build 20211221 | ||
| Qnap | QVR | QVR Guard versions antérieures à 2.1.3.0 du 06/12/2021 | ||
| Qnap | QuTS hero | QuTS hero versions antérieures à h5.0.0.1892 build 20211222 | ||
| Qnap | QVR | QVR Elite versions antérieures à 2.1.4.0 du 06/12/2021 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QTS 4.5.x versions ant\u00e9rieures \u00e0 4.5.4.1892 build 20211223",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QcalAgent versions ant\u00e9rieures \u00e0 1.1.7",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Pro versions ant\u00e9rieures \u00e0 2.1.3.0 du 06/12/2021",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS 5.0.x versions ant\u00e9rieures \u00e0 5.0.0.1891 build 20211221",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Guard versions ant\u00e9rieures \u00e0 2.1.3.0 du 06/12/2021",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions ant\u00e9rieures \u00e0 h5.0.0.1892 build 20211222",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Elite versions ant\u00e9rieures \u00e0 2.1.4.0 du 06/12/2021",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-38690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38690"
},
{
"name": "CVE-2021-38677",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38677"
},
{
"name": "CVE-2021-38691",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38691"
},
{
"name": "CVE-2021-38678",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38678"
},
{
"name": "CVE-2021-38692",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38692"
},
{
"name": "CVE-2021-38689",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38689"
},
{
"name": "CVE-2021-38682",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38682"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-033",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-01-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits QNAP.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance et une injection de code indirecte \u00e0 distance\n(XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits QNAP",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 QNAP qsa-21-57 du 13 janvier 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-57"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 QNAP qsa-21-60 du 13 janvier 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-60"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 QNAP qsa-21-59 du 13 janvier 2022",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-59"
}
]
}
CERTFR-2021-AVI-906
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Qnap QVR. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QVR versions ant\u00e9rieures \u00e0 5.1.6 build 20211109",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-38685",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38685"
},
{
"name": "CVE-2021-38686",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38686"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-906",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-11-29T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Qnap QVR. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Qnap QVR",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-21-52 du 26 novembre 2021",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-52"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-21-51 du 26 novembre 2021",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-51"
}
]
}