CVE-2023-34975

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-34975
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later

6.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://www.qnap.com/en/security-advisory/qsa-24-12
https://www.qnap.com/en/security-advisory/qsa-24-12
Configurations

Configuration 1 (hide)

cpe:2.3:a:qnap:video_station:*:*:*:*:*:*:*:*
History

12 Jan 2026, 10:16

Type Values Removed Values Added
Summary (en) An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud c5.1.x is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later (en) An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later

21 Nov 2024, 08:07

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 6.6
References () https://www.qnap.com/en/security-advisory/qsa-24-12 - () https://www.qnap.com/en/security-advisory/qsa-24-12 -

08 Mar 2024, 17:15

Type Values Removed Values Added
CWE CWE-89 CWE-78
Summary A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.7.0 ( 2023/07/27 ) and later An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. QuTScloud c5.1.x is not affected. We have already fixed the vulnerability in the following versions: QuTS hero h4.5.4.2626 build 20231225 and later QTS 4.5.4.2627 build 20231225 and later
References
  • {'url': 'https://www.qnap.com/en/security-advisory/qsa-23-52', 'name': 'https://www.qnap.com/en/security-advisory/qsa-23-52', 'tags': ['Vendor Advisory'], 'refsource': 'MISC'}
  • () https://www.qnap.com/en/security-advisory/qsa-24-12 -

18 Oct 2023, 19:54

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
CWE CWE-89
First Time Qnap
Qnap video Station
References (MISC) https://www.qnap.com/en/security-advisory/qsa-23-52 - (MISC) https://www.qnap.com/en/security-advisory/qsa-23-52 - Vendor Advisory
CPE cpe:2.3:a:qnap:video_station:*:*:*:*:*:*:*:*

13 Oct 2023, 21:31

Type Values Removed Values Added
New CVE
Information

Published : 2023-10-13 20:15

Updated : 2026-01-12 10:16

NVD link : CVE-2023-34975

Mitre link : CVE-2023-34975

CVE.ORG link : CVE-2023-34975

JSON object : View

Products Affected

qnap

  • video_station
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')