Taiwan-based QNAP Systems on Friday announced patches for a dozen vulnerabilities across its product portfolio, including high-severity flaws in its operating system.
The bug affects QTS versions 5.1.x and QuTS hero versions h5.1.x and was resolved with the release of QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110.
The two releases also address CVE-2022-43634, a security defect in Netatalk that could allow attackers to execute arbitrary code remotely, without authentication.
On Friday, QNAP also released patches for two high-severity vulnerabilities in Video Station - an SQL injection and an OS command injection - that could be exploited over the network.
Video Station version 5.7.2 resolves both issues.
Two other high-severity, remotely exploitable bugs were addressed with the release of QuMagie 2.2.1, namely CVE-2023-47559, a cross-site scripting flaw, and CVE-2023-47560, an OS command injection defect.
QNAP announced patches for multiple other medium- and low-severity vulnerabilities in QTS, QuTS hero, QcalAgent, and QuMagie.
Details on these flaws can be found on QNAP's security advisories page.
QNAP makes no mention of any of these security holes being exploited in the wild, but threat actors are known to target unpatched QNAP appliances in malicious attacks.
Mainly known for its network-attached storage and professional network video recorder products, QNAP also manufactures various types of networking equipment.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 08 Jan 2024 15:13:04 +0000