CVE-2023-39296

HIGH EXPLOITED

Qnap Qts - Prototype Pollution

Title source: rule

Description

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

References (1)

[Vendor Advisory] https://www.qnap.com/en/security-advisory/qsa-23-64

Scores

CVSS v3 7.5

EPSS 0.0042

EPSS Percentile 61.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-03-24

CWE

CWE-1321

Status published

Products (13)

qnap/qts 5.1.0.2348 build_20230325

qnap/qts 5.1.0.2399 build_20230515

qnap/qts 5.1.0.2418 build_20230603

qnap/qts 5.1.0.2444 build_20230629

qnap/qts 5.1.0.2466 build_20230721

qnap/qts 5.1.1.2491 build_20230815

qnap/qts 5.1.2.2533 build_20230926

qnap/quts_hero h5.1.0.2409 build_20230525

qnap/quts_hero h5.1.0.2424 build_20230609

qnap/quts_hero h5.1.0.2453 build_20230708

... and 3 more

Published Jan 05, 2024

Tracked Since Feb 18, 2026