6.5

CVE-2023-23372

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2425 build 20230609 and later
QTS 5.1.0.2444 build 20230629 and later
QTS 4.5.4.2467 build 20230718 and later
QuTS hero h5.1.0.2424 build 20230609 and later
QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h4.5.4.2476 build 20230728 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version5.1.0.2348 Updatebuild_20230325
QnapQts Version5.1.0.2399 Updatebuild_20230515
QnapQts Version5.1.0.2418 Updatebuild_20230603
QnapQts Version5.0.1.2034 Updatebuild_20220515
QnapQts Version5.0.1.2079 Updatebuild_20220629
QnapQts Version5.0.1.2131 Updatebuild_20220820
QnapQts Version5.0.1.2137 Updatebuild_20220826
QnapQts Version5.0.1.2145 Updatebuild_20220903
QnapQts Version5.0.1.2173 Updatebuild_20221001
QnapQts Version5.0.1.2194 Updatebuild_20221022
QnapQts Version5.0.1.2234 Updatebuild_20221201
QnapQts Version5.0.1.2248 Updatebuild_20221215
QnapQts Version5.0.1.2277 Updatebuild_20230112
QnapQts Version5.0.1.2346 Updatebuild_20230322
QnapQts Version5.0.1.2376 Updatebuild_20230421
QnapQts Version4.5.4.1715 Updatebuild_20210630
QnapQts Version4.5.4.1723 Updatebuild_20210708
QnapQts Version4.5.4.1741 Updatebuild_20210726
QnapQts Version4.5.4.1787 Updatebuild_20210910
QnapQts Version4.5.4.1800 Updatebuild_20210923
QnapQts Version4.5.4.1892 Updatebuild_20211223
QnapQts Version4.5.4.1931 Updatebuild_20220128
QnapQts Version4.5.4.2012 Updatebuild_20220419
QnapQts Version4.5.4.2117 Updatebuild_20220802
QnapQts Version4.5.4.2280 Updatebuild_20230112
QnapQts Version4.5.4.2374 Updatebuild_20230416
QnapQuts Hero Versionh5.1.0.2409 Updatebuild_20230525
QnapQuts Hero Versionh5.0.1.2045 Updatebuild_20220526
QnapQuts Hero Versionh5.0.1.2192 Updatebuild_20221020
QnapQuts Hero Versionh5.0.1.2248 Updatebuild_20221215
QnapQuts Hero Versionh5.0.1.2269 Updatebuild_20230104
QnapQuts Hero Versionh5.0.1.2277 Updatebuild_20230112
QnapQuts Hero Versionh5.0.1.2348 Updatebuild_20230324
QnapQuts Hero Versionh5.0.1.2376 Updatebuild_20230421
QnapQuts Hero Versionh4.5.4.1771 Updatebuild_20210825
QnapQuts Hero Versionh4.5.4.1800 Updatebuild_20210923
QnapQuts Hero Versionh4.5.4.1813 Updatebuild_20211006
QnapQuts Hero Versionh4.5.4.1848 Updatebuild_20211109
QnapQuts Hero Versionh4.5.4.1892 Updatebuild_20211223
QnapQuts Hero Versionh4.5.4.1951 Updatebuild_20220218
QnapQuts Hero Versionh4.5.4.1971 Updatebuild_20220310
QnapQuts Hero Versionh4.5.4.1991 Updatebuild_20220330
QnapQuts Hero Versionh4.5.4.2052 Updatebuild_20220530
QnapQuts Hero Versionh4.5.4.2138 Updatebuild_20220824
QnapQuts Hero Versionh4.5.4.2217 Updatebuild_20221111
QnapQuts Hero Versionh4.5.4.2272 Updatebuild_20230105
QnapQuts Hero Versionh4.5.4.2374 Updatebuild_20230417
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.29% 0.522
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@qnapsecurity.com.tw 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.