This vulnerability allows remote malicious users to execute arbitrary code on affected installations of QNAP TS-464 NAS devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the authLogin endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
qnap qts 4.5.4.2627 |
||
qnap qts |
||
qnap myqnapcloud |
QNAP warns of critical auth bypass flaw in its NAS devices By Bill Toulas March 8, 2024 03:03 PM 0 QNAP warns of vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, that could allow attackers to access devices. The Taiwanese Network Attached Storage (NAS) device maker disclosed three vulnerabilities that can lead to an authentication bypass, command injection, and SQL injection. While the last two require the attackers to be authenticated...
Vulmon