5.5

CVE-2024-50405

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify application data.

We have already fixed the vulnerability in the following versions:
QTS 5.2.3.3006 build 20250108 and later
QuTS hero h5.2.3.3006 build 20250108 and later

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QnapQts Version5.2.0.2737 Updatebuild_20240417
QnapQts Version5.2.0.2744 Updatebuild_20240424
QnapQts Version5.2.0.2782 Updatebuild_20240601
QnapQts Version5.2.0.2802 Updatebuild_20240620
QnapQts Version5.2.0.2823 Updatebuild_20240711
QnapQts Version5.2.0.2851 Updatebuild_20240808
QnapQts Version5.2.0.2860 Updatebuild_20240817
QnapQts Version5.2.1.2930 Updatebuild_20241025
QnapQts Version5.2.2.2950 Updatebuild_20241114
QnapQuts Hero Versionh5.2.0.2737 Updatebuild_20240417
QnapQuts Hero Versionh5.2.0.2782 Updatebuild_20240601
QnapQuts Hero Versionh5.2.0.2789 Updatebuild_20240607
QnapQuts Hero Versionh5.2.0.2802 Updatebuild_20240620
QnapQuts Hero Versionh5.2.0.2823 Updatebuild_20240711
QnapQuts Hero Versionh5.2.0.2851 Updatebuild_20240808
QnapQuts Hero Versionh5.2.0.2860 Updatebuild_20240817
QnapQuts Hero Versionh5.2.1.2929 Updatebuild_20241025
QnapQuts Hero Versionh5.2.1.2940 Updatebuild_20241105
QnapQuts Hero Versionh5.2.2.2952 Updatebuild_20241116
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.311
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@qnapsecurity.com.tw 5.1 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.