Strix
26.1K

CVE-2023-23372

MEDIUMCVSS 6.1/10EPSS 0.45%

Last modified

CVE-2023-23372 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h4.5.4.2476 build 20230728 and later . EPSS estimates a 0.45% chance of exploitation in the next 30 days.

Description

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h4.5.4.2476 build 20230728 and later

Metrics

CVSS 3.1
6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
0.45%

36.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
QnapQts5.1.0.2348Build 20230325
QnapQts5.1.0.2399Build 20230515
QnapQts5.1.0.2418Build 20230603
QnapQts5.0.1.2034Build 20220515
QnapQts5.0.1.2079Build 20220629
QnapQts5.0.1.2131Build 20220820
QnapQts5.0.1.2137Build 20220826
QnapQts5.0.1.2145Build 20220903
QnapQts5.0.1.2173Build 20221001
QnapQts5.0.1.2194Build 20221022
QnapQts5.0.1.2234Build 20221201
QnapQts5.0.1.2248Build 20221215
QnapQts5.0.1.2277Build 20230112
QnapQts5.0.1.2346Build 20230322
QnapQts5.0.1.2376Build 20230421
QnapQts4.5.4.1715Build 20210630
QnapQts4.5.4.1723Build 20210708
QnapQts4.5.4.1741Build 20210726
QnapQts4.5.4.1787Build 20210910
QnapQts4.5.4.1800Build 20210923
QnapQts4.5.4.1892Build 20211223
QnapQts4.5.4.1931Build 20220128
QnapQts4.5.4.2012Build 20220419
QnapQts4.5.4.2117Build 20220802
QnapQts4.5.4.2280Build 20230112
QnapQts4.5.4.2374Build 20230416
QnapQuts Heroh5.1.0.2409Build 20230525
QnapQuts Heroh5.0.1.2045Build 20220526
QnapQuts Heroh5.0.1.2192Build 20221020
QnapQuts Heroh5.0.1.2248Build 20221215
QnapQuts Heroh5.0.1.2269Build 20230104
QnapQuts Heroh5.0.1.2277Build 20230112
QnapQuts Heroh5.0.1.2348Build 20230324
QnapQuts Heroh5.0.1.2376Build 20230421
QnapQuts Heroh4.5.4.1771Build 20210825
QnapQuts Heroh4.5.4.1800Build 20210923
QnapQuts Heroh4.5.4.1813Build 20211006
QnapQuts Heroh4.5.4.1848Build 20211109
QnapQuts Heroh4.5.4.1892Build 20211223
QnapQuts Heroh4.5.4.1951Build 20220218
QnapQuts Heroh4.5.4.1971Build 20220310
QnapQuts Heroh4.5.4.1991Build 20220330
QnapQuts Heroh4.5.4.2052Build 20220530
QnapQuts Heroh4.5.4.2138Build 20220824
QnapQuts Heroh4.5.4.2217Build 20221111
QnapQuts Heroh4.5.4.2272Build 20230105
QnapQuts Heroh4.5.4.2374Build 20230417

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-23372?
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h4.5.4.2476 build 20230728 and later
How severe is CVE-2023-23372?
CVE-2023-23372 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.45% probability of exploitation in the next 30 days.
How do I fix CVE-2023-23372?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-23372?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST