Qnap Media Streaming Add-On vulnerabilities

CVE-2024-56808 [LOW] CWE-78 CVE-2024-56808: A command injection vulnerability has been reported to affect Media Streaming add-on. If an attacker A command injection vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and

CVE-2024-56807 [LOW] CWE-125 CVE-2024-56807: An out-of-bounds read vulnerability has been reported to affect Media Streaming add-on. If an attack An out-of-bounds read vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later

CVE-2024-50395 [MEDIUM] CWE-639 CVE-2024-50395: An authorization bypass through user-controlled key vulnerability has been reported to affect Media An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.6 ( 2024/08/02 ) and later

CVE-2023-47220 [MEDIUM] CWE-78 CVE-2023-47220: An OS command injection vulnerability has been reported to affect Media Streaming add-on. If exploit An OS command injection vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later

CVE-2023-47222 [CRITICAL] CWE-22 CVE-2023-47222: An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-o An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later

CVE-2023-23369 [CRITICAL] CWE-77 CVE-2023-23369: An OS command injection vulnerability has been reported to affect several QNAP operating system vers An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) a

CVE-2021-34362 [HIGH] CWE-78 CVE-2021-34362: A command injection vulnerability has been reported to affect QNAP device running Media Streaming ad A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media Streaming add-on 500.0.0.3 ( 2021/08/20 ) and later QT

CVE-2020-36195 [CRITICAL] CWE-20 CVE-2020-36195: An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or th An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3:

CVE-2017-7640 [CRITICAL] CWE-78 CVE-2017-7640: QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier allows remote QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier allows remote attackers to run arbitrary OS commands against the system with root privileges.

CVE-2017-7641 [HIGH] CWE-352 CVE-2017-7641: QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utili QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utilize CSRF protections.

CVE-2017-7638 [MEDIUM] CWE-287 CVE-2017-7638: QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not authe QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not authenticate requests properly. Successful exploitation could lead to change of the Media Streaming settings, and leakage of sensitive information of the QNAP NAS.

CVE-2017-7634 [MEDIUM] CWE-79 CVE-2017-7634: Cross-site scripting (XSS) vulnerability in QNAP NAS application Media Streaming add-on version 421. Cross-site scripting (XSS) vulnerability in QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier allows remote attackers to inject arbitrary web script or HTML. The injected code will only be triggered by a crafted link, not the normal page.