Lucene search
LJP (@ljp_tw) and YingMuo (@YingMuo), working with DEVCORE Internship ProgramZDI-24-470HistoryMay 19, 2024 - 12:00 a.m.
(Pwn2Own) QNAP TS-464 QR Code Device CRLF Injection Arbitrary Configuration Change Vulnerability
2024-05-1900:00:00
LJP (@ljp_tw) and YingMuo (@YingMuo), working with DEVCORE Internship Program
www.zerodayinitiative.com
25
vulnerability
remote attack
qnap ts-464
nas devices
authentication
privwizard api
configuration change
This vulnerability allows remote attackers to make arbitrary changes to configuration on affected installations of QNAP TS-464 NAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the privWizard API endpoints. The issue results from the lack of proper validation of a user-supplied string before using it to update configuration. An attacker can leverage this vulnerability to change the configuration of the system.
Related
prion
prion
Authentication flaw
2024-03-08 17:15:00
vulnrichment
vulnrichment
CVE-2024-21899 QTS, QuTS hero, QuTScloud
2024-03-08 16:17:25
cve
cve
CVE-2024-21899
2024-03-08 17:15:22
nvd
nvd
CVE-2024-21899
2024-03-08 17:15:22
cvelist
cvelist
CVE-2024-21899 QTS, QuTS hero, QuTScloud
2024-03-08 16:17:25
openvas
openvas
QNAP QTS Multiple Vulnerabilities (QSA-24-09)
2024-03-12 00:00:00
QNAP QuTScloud Multiple Vulnerabilities (QSA-24-09)
2024-03-12 00:00:00
QNAP QuTS hero Multiple Vulnerabilities (QSA-24-09)
2024-03-11 00:00:00