← back
CVE-2024-21901

myQNAPcloud

CVSS 4.7 MEDIUMEPSS 18.7%CWE-89
In short

A SQL injection flaw in myQNAPcloud allows authenticated administrators to insert malicious SQL commands through the network, potentially compromising the database and system data.

Technical detail

SQL injection vulnerability in myQNAPcloud accessible to authenticated administrators via network input; exploitation requires valid admin credentials and allows arbitrary SQL query execution, impacting data confidentiality and integrity. Fixed in myQNAPcloud 1.0.52 and QTS 4.5.4.2627 build 20231225 or later.

Summary generated and translated by AI from the official description.
A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Affected products
QNAP Systems Inc. · myQNAPcloudQNAP Systems Inc. · QTS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.qnap.com/en/security-advisory/qsa-24-09