CVE-2023-39296
published 2024-01-05CVE-2023-39296: A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to…
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.56%
72.2th percentile
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap_systems_inc | qts | >= 5.1.x < 5.1.3.2578 build 20231110 | 5.1.3.2578 build 20231110 |
| qnap_systems_inc | quts_hero | >= h5.1.x < h5.1.3.2578 build 20231110 | h5.1.3.2578 build 20231110 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh38-hrrg-8cjv: A prototype pollution vulnerability has been reported to affect several QNAP operating system versions
ghsa_unreviewed·2024-01-05
CVE-2023-39296 [HIGH] CWE-1321 GHSA-xh38-hrrg-8cjv: A prototype pollution vulnerability has been reported to affect several QNAP operating system versions
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later
VulnCheck
QNAP QTS Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
vulncheck·2023·CVSS 7.5
CVE-2023-39296 [HIGH] QNAP QTS Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
QNAP QTS Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to override existing attributes with ones that have incompatible type, which may lead to a crash via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QuTS hero h5.1.3.2578 build 20231110 and later
Affected: QNAP QTS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?da
No detection rules found.
No public exploits indexed.
2024-01-05
Published
Exploited in the wild