Lucene search

QnapCVE-2024-27125

HistorySep 06, 2024 - 5:15 p.m.

CVE-2024-27125

2024-09-0617:15:14

CWE-79

qnap

web.nvd.nist.gov

cross-site scripting

helpdesk

vulnerability

authenticated administrators

malicious code

network

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

3.8

Confidence

High

EPSS

Percentile

14.7%

JSON

A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.

We have already fixed the vulnerability in the following version:
Helpdesk 3.3.1 and later

Affected configurations

Nvd

Node

qnaphelpdeskRange<3.3.1

VendorProductVersionCPE
qnaphelpdesk*cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
qnap	helpdesk	*	cpe:2.3:a:qnap:helpdesk::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Helpdesk",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "3.3.1",
        "status": "affected",
        "version": "3.3.x",
        "versionType": "custom"
      }
    ]
  }
]

References

www.qnap.com/en/security-advisory/qsa-24-29