CVE-2024-53693
07.03.2025, 17:15
An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify application data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.3.3006 build 20250108 and later
QuTS hero h5.2.3.3006 build 20250108 and later| Vendor | Product | Version |
|---|---|---|
| qnap | qts | 5.2.0.2737:build_20240417 |
| qnap | qts | 5.2.0.2744:build_20240424 |
| qnap | qts | 5.2.0.2782:build_20240601 |
| qnap | qts | 5.2.0.2802:build_20240620 |
| qnap | qts | 5.2.0.2823:build_20240711 |
| qnap | qts | 5.2.0.2851:build_20240808 |
| qnap | qts | 5.2.0.2860:build_20240817 |
| qnap | qts | 5.2.1.2930:build_20241025 |
| qnap | qts | 5.2.2.2950:build_20241114 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.