CVE-2023-23369
QTS, Multimedia Console, and Media Streaming add-on
In short
A security flaw in QNAP systems allows attackers to run unauthorized commands over the network by exploiting improper handling of user input. This is a critical vulnerability because it gives attackers full control over the affected device.
Technical detail
OS command injection vulnerability (CWE-77, CWE-78) affecting QNAP QTS, Multimedia Console, and Media Streaming add-on due to insufficient input sanitization. Remote network-based attack vector with no authentication required; successful exploitation enables arbitrary command execution with system privileges.
Summary generated and translated by AI from the official description.
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network.
We have already fixed the vulnerability in the following versions:
Multimedia Console 2.1.2 ( 2023/05/04 ) and later
Multimedia Console 1.4.8 ( 2023/05/05 ) and later
QTS 5.1.0.2399 build 20230515 and later
QTS 4.3.6.2441 build 20230621 and later
QTS 4.3.4.2451 build 20230621 and later
QTS 4.3.3.2420 build 20230621 and later
QTS 4.2.6 build 20230621 and later
Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later
Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
QNAP Systems Inc. · Media Streaming add-onQNAP Systems Inc. · Multimedia ConsoleQNAP Systems Inc. · QTSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →