QNAP QTS: CVE-2023-50366: Multiple Vulnerabilities in QTS and QuTS hero

Multiple vulnerabilities have been reported to affect certain QNAP operating system versions: CVE-2023-50361, CVE-2023-50362, CVE-2023-50364, CVE-2023-51367: If exploited, the buffer copy without checking size of input vulnerabilities could allow remote attackers who have gained user access to execute arbitrary code. CVE-2023-50363: If exploited, the incorrect authorization vulnerability could allow remote attackers who have gained user access to bypass 2-step verification. CVE-2023-50366: If exploited, the cross-site scripting (XSS) vulnerability could allow attackers who have gained administrator access to inject malicious code. CVE-2023-51366: If exploited, the path traversal vulnerability could allow remote attackers who have gained user access to traverse the file system and read sensitive data. CVE-2023-51368: If exploited, the NULL pointer dereference vulnerability could allow remote attackers who have gained user access to launch a denial-of-service (DoS) attack. CVE-2024-21897: If exploited, the cross-site scripting (XSS) vulnerability could allow attackers who have gained user access to inject malicious code. CVE-2024-21898, CVE-2024-21903: If exploited, the OS command injection vulnerabilities could allow remote attackers who have gained user access to inject malicious commands. We have already fixed the vulnerabilities in the following versions: