CVE-2024-21901
published 2024-03-08CVE-2024-21901: A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject…
PriorityP340medium4.7CVSS 3.1
AVNACLPRHUINSUCLILAL
EPSS
18.68%
96.9th percentile
A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
myQNAPcloud 1.0.52 ( 2023/11/24 ) and later
QTS 4.5.4.2627 build 20231225 and later
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | myqnapcloud | < 1.0.52 | 1.0.52 |
| qnap | qts | < 4.5.4.2627 | 4.5.4.2627 |
| qnap | qts | — | — |
| qnap_systems_inc | myqnapcloud | >= 1.0.x < 1.0.52 ( 2023/11/24 ) | 1.0.52 ( 2023/11/24 ) |
| qnap_systems_inc | qts | >= 4.5.x < 4.5.4.2627 build 20231225 | 4.5.4.2627 build 20231225 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
vendor_oracle7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8vmv-4hfm-2fv8: A SQL injection vulnerability has been reported to affect myQNAPcloud
ghsa_unreviewed·2024-03-08
CVE-2024-21901 [MEDIUM] CWE-89 GHSA-8vmv-4hfm-2fv8: A SQL injection vulnerability has been reported to affect myQNAPcloud
A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
myQNAPcloud 1.0.52 ( 2023/11/24 ) and later
QTS 4.5.4.2627 build 20231225 and later
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure — CVE-2023-21901
vendor_oracle·2024-01-15·CVSS 7.4
CVE-2023-21901 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure — CVE-2023-21901
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure vulnerability
CVE: CVE-2023-21901
CVSS: 7.4
Protocol: HTTP
Remote exploit: No
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
No detection rules found.
No public exploits indexed.
Checkpoint
11th March – Threat Intelligence Report
blogs_checkpoint·2024-03-11·CVSS 8.2
CVE-2023-46805 [HIGH] 11th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cybersecurity and Infrastructure Security Agency (CISA) has taken offline two systems following a breach that occurred as a result of the recent vulnerabilities exploitation in Ivanti products. The affected systems potentially include the Infrastructure Protection Gateway and the Chemical Security Assessment Tool, holding sen
Bleepingcomputer
QNAP warns of critical auth bypass flaw in its NAS devices
blogs_bleepingcomputer·2024-03-08·CVSS 9.8
[CRITICAL] QNAP warns of critical auth bypass flaw in its NAS devices
## QNAP warns of critical auth bypass flaw in its NAS devices
## Bill Toulas
QNAP warns of vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, that could allow attackers to access devices.
The Taiwanese Network Attached Storage (NAS) device maker disclosed three vulnerabilities that can lead to an authentication bypass, command injection, and SQL injection.
While the last two require the attackers to be authenticated on the target system, which significantly lessens the risk, the first (CVE-2024-21899) can be executed remotely without authentication and is marked as "low complexity."
The three flaws fixed are the following:
CVE-2024-21899 : Improper authentication mechanisms allow unauthorized users to compromise the system's security t
2024-03-08
Published