Important NAS readings and code vulnerability
Tracked as CVE-2024-38643, a non-validation vulnerability in QNAP’s note-taking and interoperability application for its NAS devices, Note Station 3, could give a remote attacker unauthorized access to vulnerable systems.
The vulnerability, which received a CVSS v3 severity rating of 9.8 out of 10, affects Notes Station 3 versions 3.9.x, and is fixed in versions 3.9.7 and later. In addition to IT service providers, QNAP’s NAS services are used by many organizations in the telecommunications and entertainment, healthcare, and education sectors for reliable data storage platforms.
Affecting similar versions of the application is another server-side application forgery (SSRF) flaw, tracked as CVE-2024-38645, which allows remote actors with critical access via CVE-2024-38643 to read full application data. The bug has a CVSS v4 rating of 9.4/10.
Source link