CVE-2024-21897

Sept. 11, 2024, 1:34 p.m.

CVSS Score

5.4 / 10

Products Impacted

Vendor Product Versions
qnap
  • qts
  • quts_hero
  • 5.1.0.2348, 5.1.0.2399, 5.1.0.2418, 5.1.0.2444, 5.1.0.2466, 5.1.1.2491, 5.1.2.2533, 5.1.3.2578, 5.1.4.2596, 5.1.5.2645, 5.1.5.2679
  • h5.1.0.2409, h5.1.0.2424, h5.1.0.2453, h5.1.0.2466, h5.1.1.2488, h5.1.2.2534, h5.1.3.2578, h5.1.4.2596, h5.1.5.2647, h5.1.5.2680

Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE ID: 79

Date

Published: Sept. 6, 2024, 5:15 p.m.

Last Modified: Sept. 11, 2024, 1:34 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@qnapsecurity.com.tw

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o qnap qts 5.1.0.2348 build_20230325 / / / / / /
o qnap qts 5.1.0.2399 build_20230515 / / / / / /
o qnap qts 5.1.0.2418 build_20230603 / / / / / /
o qnap qts 5.1.0.2444 build_20230629 / / / / / /
o qnap qts 5.1.0.2466 build_20230721 / / / / / /
o qnap qts 5.1.1.2491 build_20230815 / / / / / /
o qnap qts 5.1.2.2533 build_20230926 / / / / / /
o qnap qts 5.1.3.2578 build_20231110 / / / / / /
o qnap qts 5.1.4.2596 build_20231128 / / / / / /
o qnap qts 5.1.5.2645 build_20240116 / / / / / /
o qnap qts 5.1.5.2679 build_20240219 / / / / / /
o qnap quts_hero h5.1.0.2409 build_20230525 / / / / / /
o qnap quts_hero h5.1.0.2424 build_20230609 / / / / / /
o qnap quts_hero h5.1.0.2453 build_20230708 / / / / / /
o qnap quts_hero h5.1.0.2466 build_20230721 / / / / / /
o qnap quts_hero h5.1.1.2488 build_20230812 / / / / / /
o qnap quts_hero h5.1.2.2534 build_20230927 / / / / / /
o qnap quts_hero h5.1.3.2578 build_20231110 / / / / / /
o qnap quts_hero h5.1.4.2596 build_20231128 / / / / / /
o qnap quts_hero h5.1.5.2647 build_20240118 / / / / / /
o qnap quts_hero h5.1.5.2680 build_20240220 / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score
5.4
Exploitability Score
2.3
Impact Score
2.7
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References