Back

CVE-2023-50366

Sept. 6, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

QNAP QTS

  • 5.1.6.2722 build 20240402 and later

QNAP QuTS hero

  • h5.1.6.2734 build 20240414 and later

Source

security@qnapsecurity.com.tw

Tags

CWE-79
security@qnapsecurity.com.tw
2024-09-06
CVE-2023-50366

CVE-2023-50366 details

Published : Sept. 6, 2024, 5:15 p.m.
Last Modified : Sept. 6, 2024, 5:15 p.m.

Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

CVSS Score

1 2 3 4.3 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

Base Score

4.3

Exploitability Score

0.9

Impact Score

3.4

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

References

URL Source
https://www.qnap.com/en/security-advisory/qsa-24-20 security@qnapsecurity.com.tw
This website uses the NVD API, but is not approved or certified by it.