CVE-2024-50405 — CRLF Injection in Systems INC QTS

CWE-93 — CRLF Injection CWE-94 — Code Injection3 documents3 sources

Severity

5.1MEDIUMNVD

EPSS

0.2%

top 55.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC QTS Qnap Systems INC Quts Hero Qnap QTS +1 more

Timeline

PublishedMar 7

Description

An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify application data. We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5qnap_systems_inc/quts_heroh5.2.x — h5.2.3.3006 build 20250108

▶NVDqnap/quts_hero10 versions+9

▶CVEListV5qnap_systems_inc/qts5.2.x — 5.2.3.3006 build 20250108

▶NVDqnap/qts9 versions+8

🔴Vulnerability Details

GHSA

GHSA-744j-f9r9-w6h7: An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions↗2025-03-07

▶

CVEList

QTS, QuTS hero↗2025-03-07

▶