| Category | Details |
|---|---|
| Products Affected | Notes Station 3 (v3.9.x), QuRouter (v2.4.x and earlier), QuLog Center, AI Core, QTS, QuTS Hero. |
| Critical Vulnerabilities | - CVE-2024-38645 (CVSS 9.4): SSRF vulnerability in Notes Station 3. - CVE-2024-38643 (CVSS 9.3): Missing authentication in Notes Station 3. - CVE-2024-48860 (CVSS 9.5): OS command injection in QuRouter. |
| High-Severity Vulnerabilities | - CVE-2024-38644 (CVSS 8.7): Command injection in Notes Station 3. - CVE-2024-38646 (CVSS 8.4): Incorrect permissions in Notes Station 3. - CVE-2024-48861 (CVSS 7.3): Command injection in QuRouter. |
| Other Flaws | - CVE-2024-48862 (CVSS 8.7): Link following in QuLog Center. - CVE-2024-38647 (CVSS 7.9): Information exposure in AI Core. - CVE-2024-50396 & CVE-2024-50397 (CVSS 7.7): Format string handling in QTS and QuTS Hero. |
| Risks | - Unauthorized access. - Remote command execution. - Sensitive data exposure. - Network compromise. - Memory corruption and file system manipulation. |
| Mitigation Steps | - Update to latest firmware. - Avoid direct internet exposure. - Use VPN for remote access. - Implement secure network configurations. |
| Advisory Resources | Detailed guidance available on QNAP’s official website. |
| Additional Recommendations | Use tools like SOCRadar for real-time CVE monitoring and attack surface management. |
Read full article: https://socradar.io/qnap-vulnerabilities-in-notes-station-3-and-qurouter/
Disclaimer: The above summary has been generated by an AI language model
Related posts:
NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities
Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform
CosmicSting: A Critical XXE Vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
Bootkitty: Analyzing the first UEFI bootkit for Linux
Leave a Reply