CVE-2023-23367
MEDIUMQNAP QTS, QuTS hero, and QuTScloud - Authenticated OS Command Injection
Title source: llmDescription
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2376 build 20230421 and later QuTS hero h5.0.1.2376 build 20230421 and later QuTScloud c5.1.0.2498 and later
References (1)
Core 1
Core References
Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-23-24
Scores
CVSS v3
4.7
EPSS
0.0016
EPSS Percentile
36.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (42)
qnap/qts
5.0.0.1716 build_20210701
qnap/qts
5.0.0.1785 build_20210908
qnap/qts
5.0.0.1808 build_20211001
qnap/qts
5.0.0.1828 build_20211020
qnap/qts
5.0.0.1837 build_20211029
qnap/qts
5.0.0.1850 build_20211111
qnap/qts
5.0.0.1853 build_20211114
qnap/qts
5.0.0.1858 build_20211119
qnap/qts
5.0.0.1870 build_20211201
qnap/qts
5.0.1.2034 build_20220515
... and 32 more
Published
Nov 10, 2023
Tracked Since
Feb 18, 2026