Vulnerability Details : CVE-2023-23372
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2425 build 20230609 and later
QTS 5.1.0.2444 build 20230629 and later
QTS 4.5.4.2467 build 20230718 and later
QuTS hero h5.1.0.2424 build 20230609 and later
QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h4.5.4.2476 build 20230728 and later
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-23372
- cpe:2.3:o:qnap:qts:5.0.1.2034:build_20220515:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2079:build_20220629:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2131:build_20220820:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2137:build_20220826:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2145:build_20220903:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2173:build_20221001:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2194:build_20221022:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2234:build_20221201:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2248:build_20221215:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2277:build_20230112:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2346:build_20230322:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1715:build_20210630:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1723:build_20210708:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1741:build_20210726:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1787:build_20210910:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1800:build_20210923:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1892:build_20211223:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.1931:build_20220128:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2012:build_20220419:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2117:build_20220802:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2280:build_20230112:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.1.0.2348:build_20230325:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.1.0.2399:build_20230515:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:4.5.4.2374:build_20230416:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.0.1.2376:build_20230421:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:5.1.0.2418:build_20230603:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2045:build_20220526:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2192:build_20221020:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2248:build_20221215:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2269:build_20230104:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2277:build_20230112:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2348:build_20230324:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1771:build_20210825:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1800:build_20210923:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1813:build_20211006:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1848:build_20211109:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1892:build_20211223:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1951:build_20220218:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1971:build_20220310:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.1991:build_20220330:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.2052:build_20220530:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.2138:build_20220824:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.2217:build_20221111:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.2272:build_20230105:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h4.5.4.2374:build_20230417:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.0.1.2376:build_20230421:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:h5.1.0.2409:build_20230525:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-23372
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-23372
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
QNAP Systems, Inc. |
CWE ids for CVE-2023-23372
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@qnapsecurity.com.tw (Secondary)
References for CVE-2023-23372
-
https://www.qnap.com/en/security-advisory/qsa-23-40
Vulnerability in QTS and QuTS hero - Security Advisory | QNAPVendor Advisory
Jump to