CVE-2023-39296 — Prototype Pollution in Systems INC QTS

CWE-1321 — Prototype Pollution4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC QTS Qnap Systems INC Quts Hero Qnap QTS +1 more

Timeline

PublishedJan 5

Description

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5qnap_systems_inc/quts_heroh5.1.x — h5.1.3.2578 build 20231110

▶NVDqnap/quts_hero6 versions+5

▶CVEListV5qnap_systems_inc/qts5.1.x — 5.1.3.2578 build 20231110

▶NVDqnap/qts7 versions+6

🔴Vulnerability Details

GHSA

GHSA-xh38-hrrg-8cjv: A prototype pollution vulnerability has been reported to affect several QNAP operating system versions↗2024-01-05

▶

CVEList

QTS, QuTS hero↗2024-01-05

▶

VulnCheck

QNAP QTS Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')↗2023

▶