Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-23355

An OS command injection vulnerability has been reported to affect QNAP operating systems. If exploited, the vulnerability possibly allows remote authenticated administrators to execute commands via unspecified vectors. QES is not affected. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QTS 4.5.4.2374 build 20230416 and later QuTS hero h5.0.1.2348 build 20230324 and later QuTS hero h4.5.4.2374 build 20230417 and later QuTScloud c5.0.1.2374 and later

Published

2023-03-29T05:15:07.563

Last Modified

2024-11-21T07:46:01.613

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.6 (MEDIUM)

Weaknesses

Type: Secondary
CWE-77
CWE-78
Type: Primary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	qnap	qvr	-	Yes
Operating System	qnap	qts	< 5.0.1.2346	Yes
Operating System	qnap	quts_hero	< h5.0.1.2348	Yes
Operating System	qnap	qutscloud	-	Yes
Operating System	qnap	qvp-41b_firmware	-	Yes
Hardware	qnap	qvp-41b	-	No
Operating System	qnap	qvp-63b_firmware	-	Yes
Hardware	qnap	qvp-63b	-	No
Operating System	qnap	qvp-85b_firmware	-	Yes
Hardware	qnap	qvp-85b	-	No
Operating System	qnap	qvp-21a_firmware	-	Yes
Hardware	qnap	qvp-21a	-	No
Operating System	qnap	qvp-41a_firmware	-	Yes
Hardware	qnap	qvp-41a	-	No
Operating System	qnap	qvp-63a_firmware	-	Yes
Hardware	qnap	qvp-63a	-	No
Operating System	qnap	qvp-85a_firmware	-	Yes
Hardware	qnap	qvp-85a	-	No

References

https://www.qnap.com/en/security-advisory/qsa-23-10 Vendor Advisory ([email protected])
https://www.qnap.com/en/security-advisory/qsa-23-10 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)