Several QNAP vulnerabilities addressed

BleepingComputer reports that updates have been issued by QNAP to remediate several flaws impacting its routers, network-attached storage app, and other offerings, three of which were critical.

Most severe of the addressed vulnerabilities is the OS command injection flaw in QNAP's QuRouter 2.4.x offerings, tracked as CVE-2024-48860, which could be leveraged for remote command execution, while QNAP's Notes Station 3 note-taking and collaboration app for NAS systems is affected by a pair of critical bugs — including a missing authentication for critical functions flaw, tracked as CVE-2024-38643, and a server-side request forgery issue, tracked as CVE-2024-38645. A high-severity command injection flaw in QuRouter, tracked as CVE-2024-48861, and high-severity command injection and unauthorized data access issues in QNAP Notes Station 3, tracked as CVE-2024-38644 and CVE-2024-38646, have also been patched. QNAP has also fixed numerous other high-severity vulnerabilities impacting its QNAP AI Core, QTS, QuTS Hero, and QuLog Center products.