Fixes have been released by QNAP to address 12 security flaws, many of which are high-severity, impacting its various products, according to SecurityWeek.
QTS version 5.1.x and QuTS hero version h5.1.x have been affected by the high-severity prototype pollution bug, tracked as CVE-2023-39296, which could be exploited "to override existing attributes with ones that have an incompatible type, which may cause the system to crash," noted QNAP, which said that newly released software patching the flaw also address the Netatalk remote code execution vulnerability, tracked as CVE-2022-43634.
Other high-severity flaws fixed by QNAP include an SQL injection issue, tracked as CVE-2023-41287, and an OS command injection defect, tracked as CVE-2023-41288, affecting its Video Station offering, as well as the cross-site scripting flaw, tracked as CVE-2023-47559, and the OS command injection bug, tracked as CVE-2023-47560, impacting QuMagie.
QNAP has also fixed medium- and low-severity bugs in QTS, QuTS hero, QuMagie, and QcalAgent but noted that there has been no evidence suggesting any active exploitation.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news