7.5

CVE-2023-39296

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version5.1.0.2348 Updatebuild_20230325
QnapQts Version5.1.0.2399 Updatebuild_20230515
QnapQts Version5.1.0.2418 Updatebuild_20230603
QnapQts Version5.1.0.2444 Updatebuild_20230629
QnapQts Version5.1.0.2466 Updatebuild_20230721
QnapQts Version5.1.1.2491 Updatebuild_20230815
QnapQts Version5.1.2.2533 Updatebuild_20230926
QnapQuts Hero Versionh5.1.0.2409 Updatebuild_20230525
QnapQuts Hero Versionh5.1.0.2424 Updatebuild_20230609
QnapQuts Hero Versionh5.1.0.2453 Updatebuild_20230708
QnapQuts Hero Versionh5.1.0.2466 Updatebuild_20230721
QnapQuts Hero Versionh5.1.1.2488 Updatebuild_20230812
QnapQuts Hero Versionh5.1.2.2534 Updatebuild_20230927
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.36% 0.572
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security@qnapsecurity.com.tw 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.