CVE-2024-53694

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow local attackers who have gained user access to gain access to otherwise unauthorized resources. We have already fixed the vulnerability in the following versions: QVPN Device Client for Mac 2.2.5 and later Qsync for Mac 5.1.3 and later Qfinder Pro Mac 7.11.1 and later

CVSS

No CVSS.

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-24-51

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se ha informado de una vulnerabilidad de condición de ejecución de tiempo de uso y tiempo de verificación (TOCTOU) que afecta a varias versiones del producto. Si se explota, la vulnerabilidad podría permitir que los atacantes locales que hayan obtenido acceso de usuario obtengan acceso a recursos que de otro modo no estarían autorizados. Ya hemos corregido la vulnerabilidad en las siguientes versiones: QVPN Device Client para Mac 2.2.5 y posteriores Qsync para Mac 5.1.3 y posteriores Qfinder Pro Mac 7.11.1 y posteriores

07 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-07 17:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-53694

Mitre link : CVE-2024-53694

CVE.ORG link : CVE-2024-53694

JSON object : View

Products Affected

No product.

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2024-53694", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-07T17:15:20.103", "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-51", "source": "security@qnapsecurity.com.tw"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@qnapsecurity.com.tw", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "A time-of-check time-of-use (TOCTOU) race condition vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow local attackers who have gained user access to gain access to otherwise unauthorized resources.\n\nWe have already fixed the vulnerability in the following versions:\nQVPN Device Client for Mac 2.2.5 and later\nQsync for Mac 5.1.3 and later\nQfinder Pro Mac 7.11.1 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de condici\u00f3n de ejecuci\u00f3n de tiempo de uso y tiempo de verificaci\u00f3n (TOCTOU) que afecta a varias versiones del producto. Si se explota, la vulnerabilidad podr\u00eda permitir que los atacantes locales que hayan obtenido acceso de usuario obtengan acceso a recursos que de otro modo no estar\u00edan autorizados. Ya hemos corregido la vulnerabilidad en las siguientes versiones: QVPN Device Client para Mac 2.2.5 y posteriores Qsync para Mac 5.1.3 y posteriores Qfinder Pro Mac 7.11.1 y posteriores"}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security@qnapsecurity.com.tw"}