CVE-2024-21901 — SQL Injection in Systems INC Myqnapcloud

CWE-89 — SQL Injection4 documents4 sources

Severity

4.7MEDIUMNVD

EPSS

5.1%

top 10.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC Myqnapcloud Qnap Systems INC QTS Qnap Myqnapcloud +1 more

Timeline

PublishedMar 8

Description

A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages4 packages

▶NVDqnap/myqnapcloud< 1.0.52

▶CVEListV5qnap_systems_inc/myqnapcloud1.0.x — 1.0.52 ( 2023/11/24 )

▶NVDqnap/qts< 4.5.4.2627+1

▶CVEListV5qnap_systems_inc/qts4.5.x — 4.5.4.2627 build 20231225

🔴Vulnerability Details

GHSA

GHSA-8vmv-4hfm-2fv8: A SQL injection vulnerability has been reported to affect myQNAPcloud↗2024-03-08

▶

CVEList

myQNAPcloud↗2024-03-08

▶

📋Vendor Advisories

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure — CVE-2023-21901↗2024-01-15

▶