CVE-2024-53691
QTS, QuTS hero
In short
A vulnerability in QNAP operating systems allows attackers with user access to follow symbolic links and access files in unintended locations on the system. This could lead to unauthorized access to sensitive data or system files.
Technical detail
A link following vulnerability (CWE-59) affecting QNAP QTS and QuTS hero allows authenticated attackers to traverse the file system beyond intended boundaries by exploiting improper validation of symbolic link targets. Exploitation requires prior user-level access and can result in arbitrary file access with the privileges of the affected process.
Summary generated and translated by AI from the official description.
A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations.
We have already fixed the vulnerability in the following versions:
QTS 5.1.8.2823 build 20240712 and later
QTS 5.2.0.2802 build 20240620 and later
QuTS hero h5.1.8.2823 build 20240712 and later
QuTS hero h5.2.0.2802 build 20240620 and later
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →