Lucene search
Team ECQZDI-24-472HistoryMay 19, 2024 - 12:00 a.m.
(Pwn2Own) QNAP TS-464 Netmgr Endpoint CRLF Injection Arbitrary Configuration Update Vulnerability
2024-05-1900:00:00
Team ECQ
www.zerodayinitiative.com
5
pwn2own
qnap ts-464
netmgr endpoint
crlf injection
arbitrary configuration update
vulnerability
remote attackers
localhost interface
legacy_cgi endpoints
lack of validation
user-supplied string
system configuration
This vulnerability allows remote attackers to create arbitrary configurations on affected installations of QNAP TS-464 NAS devices. An attacker must first obtain the ability to access the deviceβs localhost interface, which can be accomplished using a malicious TURN server. The specific flaw exists within the legacy_cgi endpoints. The issue results from the lack of proper validation of a user-supplied string before using it to update configurations. An attacker can leverage this in conjunction with other vulnerabilities to create arbitrary configurations on the system.
Related
vulnrichment
vulnrichment
CVE-2024-32764 myQNAPcloud Link
2024-04-26 15:00:51
nvd
nvd
CVE-2024-32764
2024-04-26 15:15:48
cve
cve
CVE-2024-32764
2024-04-26 15:15:48
cvelist
cvelist
CVE-2024-32764 myQNAPcloud Link
2024-04-26 15:00:51