cvelistv5 - cve-2024-50404

CVE-2024-50404 (GCVE-0-2024-50404)

Vulnerability from cvelistv5 – Published: 2024-12-06 16:35 – Updated: 2024-12-06 19:28

Summary

A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later

Severity ?

6.8 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-59

Assigner

qnap

References

URL

Tags

https://www.qnap.com/en/security-advisory/qsa-24-48

Impacted products

	Vendor	Product	Version
	QNAP Systems Inc.	Qsync Central	Affected: 4.4.x.x , < 4.4.0.16_20240819 ( 2024/08/19 ) (custom)

Credits

c411e

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-50404",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-06T19:28:28.876559Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-06T19:28:37.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Qsync Central",
          "vendor": "QNAP Systems Inc.",
          "versions": [
            {
              "lessThan": "4.4.0.16_20240819 ( 2024/08/19 )",
              "status": "affected",
              "version": "4.4.x.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "c411e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\u003cbr\u003e"
            }
          ],
          "value": "A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later"
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-06T16:35:52.266Z",
        "orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
        "shortName": "qnap"
      },
      "references": [
        {
          "url": "https://www.qnap.com/en/security-advisory/qsa-24-48"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "We have already fixed the vulnerability in the following versions:\u003cbr\u003eQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\u003cbr\u003e"
            }
          ],
          "value": "We have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later"
        }
      ],
      "source": {
        "advisory": "QSA-24-48",
        "discovery": "EXTERNAL"
      },
      "title": "Qsync Central",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
    "assignerShortName": "qnap",
    "cveId": "CVE-2024-50404",
    "datePublished": "2024-12-06T16:35:52.266Z",
    "dateReserved": "2024-10-24T03:45:32.283Z",
    "dateUpdated": "2024-12-06T19:28:37.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\\n\\nWe have already fixed the vulnerability in the following versions:\\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\"}, {\"lang\": \"es\", \"value\": \"Se ha informado de una vulnerabilidad de seguimiento de enlaces que afecta a Qsync Central. Si se explota, la vulnerabilidad podr\\u00eda permitir a atacantes remotos que hayan obtenido acceso de usuario atravesar el sistema de archivos hasta ubicaciones no deseadas. Ya hemos corregido la vulnerabilidad en las siguientes versiones: Qsync Central 4.4.0.16_20240819 (2024/08/19) y posteriores\"}]",
      "id": "CVE-2024-50404",
      "lastModified": "2024-12-06T17:15:10.043",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security@qnapsecurity.com.tw\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"ACTIVE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"HIGH\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2024-12-06T17:15:10.043",
      "references": "[{\"url\": \"https://www.qnap.com/en/security-advisory/qsa-24-48\", \"source\": \"security@qnapsecurity.com.tw\"}]",
      "sourceIdentifier": "security@qnapsecurity.com.tw",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@qnapsecurity.com.tw\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-59\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50404\",\"sourceIdentifier\":\"security@qnapsecurity.com.tw\",\"published\":\"2024-12-06T17:15:10.043\",\"lastModified\":\"2024-12-06T17:15:10.043\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\\n\\nWe have already fixed the vulnerability in the following versions:\\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\"},{\"lang\":\"es\",\"value\":\"Se ha informado de una vulnerabilidad de seguimiento de enlaces que afecta a Qsync Central. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos que hayan obtenido acceso de usuario atravesar el sistema de archivos hasta ubicaciones no deseadas. Ya hemos corregido la vulnerabilidad en las siguientes versiones: Qsync Central 4.4.0.16_20240819 (2024/08/19) y posteriores\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@qnapsecurity.com.tw\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security@qnapsecurity.com.tw\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"references\":[{\"url\":\"https://www.qnap.com/en/security-advisory/qsa-24-48\",\"source\":\"security@qnapsecurity.com.tw\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50404\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-06T19:28:28.876559Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-06T19:28:34.543Z\"}}], \"cna\": {\"title\": \"Qsync Central\", \"source\": {\"advisory\": \"QSA-24-48\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"c411e\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.8, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"QNAP Systems Inc.\", \"product\": \"Qsync Central\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.4.x.x\", \"lessThan\": \"4.4.0.16_20240819 ( 2024/08/19 )\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"We have already fixed the vulnerability in the following versions:\\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"We have already fixed the vulnerability in the following versions:\u003cbr\u003eQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.qnap.com/en/security-advisory/qsa-24-48\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\\n\\nWe have already fixed the vulnerability in the following versions:\\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following versions:\u003cbr\u003eQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59\"}]}], \"providerMetadata\": {\"orgId\": \"2fd009eb-170a-4625-932b-17a53af1051f\", \"shortName\": \"qnap\", \"dateUpdated\": \"2024-12-06T16:35:52.266Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-50404\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-06T19:28:37.668Z\", \"dateReserved\": \"2024-10-24T03:45:32.283Z\", \"assignerOrgId\": \"2fd009eb-170a-4625-932b-17a53af1051f\", \"datePublished\": \"2024-12-06T16:35:52.266Z\", \"assignerShortName\": \"qnap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-F4RV-5346-M4JX

Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2024-12-06 18:30

Details

We have already fixed the vulnerability in the following versions: Qsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later

Severity ?

6.8 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-50404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T17:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later",
  "id": "GHSA-f4rv-5346-m4jx",
  "modified": "2024-12-06T18:30:46Z",
  "published": "2024-12-06T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50404"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-48"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CERTFR-2024-AVI-1052

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Qnap	QuTS hero	QuTS hero versions h5.2.x antérieures à h5.2.2.2952 build 20241116
Qnap	QuTS hero	QuTS hero versions h5.1.x antérieures à h5.1.9.2954 build 20241120
Qnap	QTS	QTS versions 5.1.x antérieures à 5.1.9.2954 build 20241120
Qnap	License Center	License Center versions 1.9.x antérieures à 1.9.43
Qnap	QTS	QTS versions 5.2.x antérieures à 5.2.2.2950 build 20241114
Qnap	Qsync Central	Qsync Central versions 4.4.x antérieures à 4.4.0.16_20240819 ( 2024/08/19 )

References

Title

Publication Time

Tags

Bulletin de sécurité Qnap QSA-24-50	2024-12-07	vendor-advisory
Bulletin de sécurité Qnap QSA-24-48	2024-12-07	vendor-advisory
Bulletin de sécurité Qnap QSA-24-49	2024-12-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.2.2952 build 20241116",
      "product": {
        "name": "QuTS hero",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.9.2954 build 20241120",
      "product": {
        "name": "QuTS hero",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.9.2954 build 20241120",
      "product": {
        "name": "QTS",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "License Center versions 1.9.x ant\u00e9rieures \u00e0 1.9.43",
      "product": {
        "name": "License Center",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.2.2950 build 20241114",
      "product": {
        "name": "QTS",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "Qsync Central versions 4.4.x ant\u00e9rieures \u00e0 4.4.0.16_20240819 ( 2024/08/19 )",
      "product": {
        "name": "Qsync Central",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-50404",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50404"
    },
    {
      "name": "CVE-2024-50403",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50403"
    },
    {
      "name": "CVE-2024-50402",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50402"
    },
    {
      "name": "CVE-2024-48866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48866"
    },
    {
      "name": "CVE-2024-48867",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48867"
    },
    {
      "name": "CVE-2024-48863",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48863"
    },
    {
      "name": "CVE-2024-48868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48868"
    },
    {
      "name": "CVE-2024-48859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48859"
    },
    {
      "name": "CVE-2024-50393",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50393"
    },
    {
      "name": "CVE-2024-48865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48865"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-1052",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-12-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
  "vendor_advisories": [
    {
      "published_at": "2024-12-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-50",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-50"
    },
    {
      "published_at": "2024-12-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-48",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-48"
    },
    {
      "published_at": "2024-12-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-49",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-49"
    }
  ]
}

CERTFR-2024-AVI-1052

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Qnap	QuTS hero	QuTS hero versions h5.2.x antérieures à h5.2.2.2952 build 20241116
Qnap	QuTS hero	QuTS hero versions h5.1.x antérieures à h5.1.9.2954 build 20241120
Qnap	QTS	QTS versions 5.1.x antérieures à 5.1.9.2954 build 20241120
Qnap	License Center	License Center versions 1.9.x antérieures à 1.9.43
Qnap	QTS	QTS versions 5.2.x antérieures à 5.2.2.2950 build 20241114
Qnap	Qsync Central	Qsync Central versions 4.4.x antérieures à 4.4.0.16_20240819 ( 2024/08/19 )

References

Title

Publication Time

Tags

Bulletin de sécurité Qnap QSA-24-50	2024-12-07	vendor-advisory
Bulletin de sécurité Qnap QSA-24-48	2024-12-07	vendor-advisory
Bulletin de sécurité Qnap QSA-24-49	2024-12-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.2.2952 build 20241116",
      "product": {
        "name": "QuTS hero",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.9.2954 build 20241120",
      "product": {
        "name": "QuTS hero",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.9.2954 build 20241120",
      "product": {
        "name": "QTS",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "License Center versions 1.9.x ant\u00e9rieures \u00e0 1.9.43",
      "product": {
        "name": "License Center",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.2.2950 build 20241114",
      "product": {
        "name": "QTS",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    },
    {
      "description": "Qsync Central versions 4.4.x ant\u00e9rieures \u00e0 4.4.0.16_20240819 ( 2024/08/19 )",
      "product": {
        "name": "Qsync Central",
        "vendor": {
          "name": "Qnap",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-50404",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50404"
    },
    {
      "name": "CVE-2024-50403",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50403"
    },
    {
      "name": "CVE-2024-50402",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50402"
    },
    {
      "name": "CVE-2024-48866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48866"
    },
    {
      "name": "CVE-2024-48867",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48867"
    },
    {
      "name": "CVE-2024-48863",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48863"
    },
    {
      "name": "CVE-2024-48868",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48868"
    },
    {
      "name": "CVE-2024-48859",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48859"
    },
    {
      "name": "CVE-2024-50393",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-50393"
    },
    {
      "name": "CVE-2024-48865",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-48865"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-1052",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-12-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
  "vendor_advisories": [
    {
      "published_at": "2024-12-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-50",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-50"
    },
    {
      "published_at": "2024-12-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-48",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-48"
    },
    {
      "published_at": "2024-12-07",
      "title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-49",
      "url": "https://www.qnap.com/go/security-advisory/qsa-24-49"
    }
  ]
}

FKIE_CVE-2024-50404

Vulnerability from fkie_nvd - Published: 2024-12-06 17:15 - Updated: 2024-12-06 17:15

Severity ?

6.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security@qnapsecurity.com.tw	https://www.qnap.com/en/security-advisory/qsa-24-48

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A link following vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.\n\nWe have already fixed the vulnerability in the following versions:\nQsync Central 4.4.0.16_20240819 ( 2024/08/19 ) and later"
    },
    {
      "lang": "es",
      "value": "Se ha informado de una vulnerabilidad de seguimiento de enlaces que afecta a Qsync Central. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos que hayan obtenido acceso de usuario atravesar el sistema de archivos hasta ubicaciones no deseadas. Ya hemos corregido la vulnerabilidad en las siguientes versiones: Qsync Central 4.4.0.16_20240819 (2024/08/19) y posteriores"
    }
  ],
  "id": "CVE-2024-50404",
  "lastModified": "2024-12-06T17:15:10.043",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security@qnapsecurity.com.tw",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-06T17:15:10.043",
  "references": [
    {
      "source": "security@qnapsecurity.com.tw",
      "url": "https://www.qnap.com/en/security-advisory/qsa-24-48"
    }
  ],
  "sourceIdentifier": "security@qnapsecurity.com.tw",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "security@qnapsecurity.com.tw",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-50404 (GCVE-0-2024-50404)

GHSA-F4RV-5346-M4JX

CERTFR-2024-AVI-1052

Solutions

CERTFR-2024-AVI-1052

Solutions

FKIE_CVE-2024-50404

Tags

Sightings

Nomenclature