CVE-2024-48862

A link following vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed the vulnerability in the following versions: QuLog Center 1.7.0.831 ( 2024/10/15 ) and later QuLog Center 1.8.0.888 ( 2024/10/15 ) and later

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-24-46	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:qnap:qulog_center::::::::
	cpe:2.3:a:qnap:qulog_center::::::::

History

08 Dec 2025, 19:18

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Qnap qulog Center Qnap
CPE		cpe:2.3:a:qnap:qulog_center::::::::
References	~~() https://www.qnap.com/en/security-advisory/qsa-24-46 -~~	() https://www.qnap.com/en/security-advisory/qsa-24-46 - Vendor Advisory
Summary		(es) Se ha informado de una vulnerabilidad relacionada con el seguimiento de enlaces que afecta a QuLog Center. Si se explota, la vulnerabilidad podría permitir a atacantes remotos atravesar el sistema de archivos hasta ubicaciones no deseadas y leer o sobrescribir el contenido de archivos inesperados. Ya hemos corregido la vulnerabilidad en las siguientes versiones: QuLog Center 1.7.0.831 (2024/10/15) y posteriores QuLog Center 1.8.0.888 (2024/10/15) y posteriores

22 Nov 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-22 16:15

Updated : 2025-12-08 19:18

NVD link : CVE-2024-48862

Mitre link : CVE-2024-48862

CVE.ORG link : CVE-2024-48862

JSON object : View

Products Affected

qnap

qulog_center

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

{"id": "CVE-2024-48862", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-11-22T16:15:28.623", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-46", "tags": ["Vendor Advisory"], "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "description": [{"lang": "en", "value": "CWE-59"}]}], "descriptions": [{"lang": "en", "value": "A link following vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files.\n\nWe have already fixed the vulnerability in the following versions:\nQuLog Center 1.7.0.831 ( 2024/10/15 ) and later\nQuLog Center 1.8.0.888 ( 2024/10/15 ) and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad relacionada con el seguimiento de enlaces que afecta a QuLog Center. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos atravesar el sistema de archivos hasta ubicaciones no deseadas y leer o sobrescribir el contenido de archivos inesperados. Ya hemos corregido la vulnerabilidad en las siguientes versiones: QuLog Center 1.7.0.831 (2024/10/15) y posteriores QuLog Center 1.8.0.888 (2024/10/15) y posteriores"}], "lastModified": "2025-12-08T19:18:50.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qulog_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19E405B4-079C-4AA3-8B9A-EA0327AB6953", "versionEndExcluding": "1.7.0.831", "versionStartIncluding": "1.7.0.800"}, {"criteria": "cpe:2.3:a:qnap:qulog_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E8EFC1-F358-4C48-B881-CA5918B10170", "versionEndExcluding": "1.8.0.888", "versionStartIncluding": "1.8.0.872"}], "operator": "OR"}]}], "sourceIdentifier": "security@qnapsecurity.com.tw"}