cvelistv5 - cve-2024-50389

CVE-2024-50389 (GCVE-0-2024-50389)

Vulnerability from cvelistv5 – Published: 2024-12-06 16:35 – Updated: 2024-12-06 19:39

Summary

A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code. We have already fixed the vulnerability in the following version: QuRouter 2.4.5.032 and later

Severity ?

9.5 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-89

Assigner

qnap

References

URL

Tags

https://www.qnap.com/en/security-advisory/qsa-24-45

Impacted products

	Vendor	Product	Version
	QNAP Systems Inc.	QuRouter	Affected: 2.4.x , < 2.4.5.032 (custom)

Credits

Pwn2Own 2024 - Viettel Cyber Security

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:qnap:qurouter:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "qurouter",
            "vendor": "qnap",
            "versions": [
              {
                "lessThan": "2.4.5.032",
                "status": "affected",
                "version": "2.4.x",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50389",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-06T19:30:09.347353Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-06T19:39:20.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "QuRouter",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "2.4.5.032",
              "status": "affected",
              "version": "2.4.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Pwn2Own 2024 - Viettel Cyber Security"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eQuRouter 2.4.5.032 and later\u003cbr\u003e"
            }
          ],
          "value": "A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.4.5.032 and later"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-66",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-66"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-06T16:35:45.704Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-45"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eQuRouter 2.4.5.032 and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following version:\nQuRouter 2.4.5.032 and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-45",
        "discovery": "EXTERNAL"
      },
      "title": "QuRouter",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2024-50389",
    "datePublished": "2024-12-06T16:35:45.704Z",
    "dateReserved": "2024-10-24T03:41:08.489Z",
    "dateUpdated": "2024-12-06T19:39:20.514Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\\n\\nWe have already fixed the vulnerability in the following version:\\nQuRouter 2.4.5.032 and later\"}, {\"lang\": \"es\", \"value\": \"Se ha informado de una vulnerabilidad de inyecci\\u00f3n SQL que afecta a QuRouter. Si se explota, la vulnerabilidad podr\\u00eda permitir a atacantes remotos inyectar c\\u00f3digo malicioso. Ya hemos corregido la vulnerabilidad en la siguiente versi\\u00f3n: QuRouter 2.4.5.032 y posteriores\"}]",
      "id": "CVE-2024-50389",
      "lastModified": "2024-12-06T17:15:09.510",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security@qnapsecurity.com.tw\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 9.5, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"HIGH\", \"vulnerableSystemIntegrity\": \"HIGH\", \"vulnerableSystemAvailability\": \"HIGH\", \"subsequentSystemConfidentiality\": \"HIGH\", \"subsequentSystemIntegrity\": \"HIGH\", \"subsequentSystemAvailability\": \"HIGH\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2024-12-06T17:15:09.510",
      "references": "[{\"url\": \"https://www.qnap.com/en/security-advisory/qsa-24-45\", \"source\": \"security@qnapsecurity.com.tw\"}]",
      "sourceIdentifier": "security@qnapsecurity.com.tw",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@qnapsecurity.com.tw\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50389\",\"sourceIdentifier\":\"security@qnapsecurity.com.tw\",\"published\":\"2024-12-06T17:15:09.510\",\"lastModified\":\"2025-09-24T19:18:32.913\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\\n\\nWe have already fixed the vulnerability in the following version:\\nQuRouter 2.4.5.032 and later\"},{\"lang\":\"es\",\"value\":\"Se ha informado de una vulnerabilidad de inyecci\u00f3n SQL que afecta a QuRouter. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos inyectar c\u00f3digo malicioso. Ya hemos corregido la vulnerabilidad en la siguiente versi\u00f3n: QuRouter 2.4.5.032 y posteriores\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@qnapsecurity.com.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.5,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@qnapsecurity.com.tw\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.0.190:build_20240522:*:*:*:*:*:*\",\"matchCriteriaId\":\"42432B47-A274-4AC7-9E02-0D2D257A6FC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.1.172:build_20240606:*:*:*:*:*:*\",\"matchCriteriaId\":\"77451C56-4576-4CCC-B7FD-7C874F22C3CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.1.634:build_20240710:*:*:*:*:*:*\",\"matchCriteriaId\":\"18080300-EC8D-4F8E-926E-25D0119870AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.2.317:build_20240903:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B8B0134-D750-4258-A0A1-CDBD90728B01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.2.538:build_20240923:*:*:*:*:*:*\",\"matchCriteriaId\":\"128C912D-D659-40A7-A0C1-185552C99CDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.3.103:build_20241011:*:*:*:*:*:*\",\"matchCriteriaId\":\"95B7AAFE-A97C-4A81-AA34-D7548CFF4855\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:qnap:qurouter:2.4.4.106:build_20241017:*:*:*:*:*:*\",\"matchCriteriaId\":\"38F814E5-382C-4765-93DD-4A17C5BC1820\"}]}]}],\"references\":[{\"url\":\"https://www.qnap.com/en/security-advisory/qsa-24-45\",\"source\":\"security@qnapsecurity.com.tw\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50389\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-06T19:30:09.347353Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:qnap:qurouter:*:*:*:*:*:*:*:*\"], \"vendor\": \"qnap\", \"product\": \"qurouter\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.4.x\", \"lessThan\": \"2.4.5.032\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-06T19:39:16.105Z\"}}], \"cna\": {\"title\": \"QuRouter\", \"source\": {\"advisory\": \"QSA-24-45\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Pwn2Own 2024 - Viettel Cyber Security\"}], \"impacts\": [{\"capecId\": \"CAPEC-66\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-66\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"QNAP Systems Inc.\", \"product\": \"QuRouter\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.4.x\", \"lessThan\": \"2.4.5.032\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"We have already fixed the vulnerability in the following version:\\nQuRouter 2.4.5.032 and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"We have already fixed the vulnerability in the following version:\u003cbr\u003eQuRouter 2.4.5.032 and later\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.qnap.com/en/security-advisory/qsa-24-45\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\\n\\nWe have already fixed the vulnerability in the following version:\\nQuRouter 2.4.5.032 and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eQuRouter 2.4.5.032 and later\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89\"}]}], \"providerMetadata\": {\"orgId\": \"2fd009eb-170a-4625-932b-17a53af1051f\", \"shortName\": \"qnap\", \"dateUpdated\": \"2024-12-06T16:35:45.704Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-50389\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-06T19:39:20.514Z\", \"dateReserved\": \"2024-10-24T03:41:08.489Z\", \"assignerOrgId\": \"2fd009eb-170a-4625-932b-17a53af1051f\", \"datePublished\": \"2024-12-06T16:35:45.704Z\", \"assignerShortName\": \"qnap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-50389

Vulnerability from fkie_nvd - Published: 2024-12-06 17:15 - Updated: 2025-09-24 19:18

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security@qnapsecurity.com.tw	https://www.qnap.com/en/security-advisory/qsa-24-45	Vendor Advisory

Impacted products

Vendor	Product	Version
qnap	qurouter	2.4.0.190
qnap	qurouter	2.4.1.172
qnap	qurouter	2.4.1.634
qnap	qurouter	2.4.2.317
qnap	qurouter	2.4.2.538
qnap	qurouter	2.4.3.103
qnap	qurouter	2.4.4.106

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.0.190:build_20240522:*:*:*:*:*:*",
              "matchCriteriaId": "42432B47-A274-4AC7-9E02-0D2D257A6FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.1.172:build_20240606:*:*:*:*:*:*",
              "matchCriteriaId": "77451C56-4576-4CCC-B7FD-7C874F22C3CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.1.634:build_20240710:*:*:*:*:*:*",
              "matchCriteriaId": "18080300-EC8D-4F8E-926E-25D0119870AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.2.317:build_20240903:*:*:*:*:*:*",
              "matchCriteriaId": "8B8B0134-D750-4258-A0A1-CDBD90728B01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.2.538:build_20240923:*:*:*:*:*:*",
              "matchCriteriaId": "128C912D-D659-40A7-A0C1-185552C99CDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.3.103:build_20241011:*:*:*:*:*:*",
              "matchCriteriaId": "95B7AAFE-A97C-4A81-AA34-D7548CFF4855",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:qnap:qurouter:2.4.4.106:build_20241017:*:*:*:*:*:*",
              "matchCriteriaId": "38F814E5-382C-4765-93DD-4A17C5BC1820",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.4.5.032 and later"
    },
    {
      "lang": "es",
      "value": "Se ha informado de una vulnerabilidad de inyecci\u00f3n SQL que afecta a QuRouter. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos inyectar c\u00f3digo malicioso. Ya hemos corregido la vulnerabilidad en la siguiente versi\u00f3n: QuRouter 2.4.5.032 y posteriores"
    }
  ],
  "id": "CVE-2024-50389",
  "lastModified": "2025-09-24T19:18:32.913",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.5,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security@qnapsecurity.com.tw",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-06T17:15:09.510",
  "references": [
    {
      "source": "security@qnapsecurity.com.tw",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-45"
    }
  ],
  "sourceIdentifier": "security@qnapsecurity.com.tw",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security@qnapsecurity.com.tw",
      "type": "Secondary"
    }
  ]
}

CERTFR-2024-AVI-0943

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Qnap QuRouter. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Qnap	QuRouter	QuRouter versions 2.4.x antérieures à 2.4.5.032

References

Title

Publication Time

Tags

Bulletin de sécurité Qnap QSA-24-45

2024-11-04

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "QuRouter versions 2.4.x ant\u00e9rieures \u00e0 2.4.5.032",
      "product": {
        "name": "QuRouter",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-50389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50389"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0943",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-11-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Qnap QuRouter. Elle permet \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Qnap QuRouter",
  "vendor_advisories": [
    {
      "published_at": "2024-11-04",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-45",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-45"
    }
  ]
}

CERTFR-2024-AVI-0943

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Qnap QuRouter. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Qnap	QuRouter	QuRouter versions 2.4.x antérieures à 2.4.5.032

References

Title

Publication Time

Tags

Bulletin de sécurité Qnap QSA-24-45

2024-11-04

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "QuRouter versions 2.4.x ant\u00e9rieures \u00e0 2.4.5.032",
      "product": {
        "name": "QuRouter",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-50389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50389"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0943",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-11-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Qnap QuRouter. Elle permet \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Qnap QuRouter",
  "vendor_advisories": [
    {
      "published_at": "2024-11-04",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-45",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-45"
    }
  ]
}

GHSA-5P7P-GJ53-X6PP

Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2025-09-24 21:30

Details

A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.

We have already fixed the vulnerability in the following version: QuRouter 2.4.5.032 and later

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-50389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "A SQL injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to inject malicious code.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.4.5.032 and later",
  "id": "GHSA-5p7p-gj53-x6pp",
  "modified": "2025-09-24T21:30:30Z",
  "published": "2024-12-06T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50389"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-45"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-50389 (GCVE-0-2024-50389)

FKIE_CVE-2024-50389

CERTFR-2024-AVI-0943

Solutions

CERTFR-2024-AVI-0943

Solutions

GHSA-5P7P-GJ53-X6PP

Tags

Sightings

Nomenclature