QNAP QTS: CVE-2024-21899: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)

Multiple vulnerabilities have been reported to affect certain QNAP operating system and application versions: CVE-2024-21899: If exploited, the improper authentication vulnerability could allow remote attackers who have gained user access to compromise the security of the system. CVE-2024-21900: If exploited, the injection vulnerability could allow remote attackers who have gained user access to execute arbitrary commands. CVE-2024-21901: If exploited, the SQL injection vulnerability could allow attackers who have gained administrator access to inject malicious code. CVE-2024-27124, CVE-2024-32766: If exploited, the OS command injection vulnerabilities could allow remote attackers who have gained user access to execute arbitrary commands. CVE-2024-32764: If exploited, the missing authentication for critical function vulnerability could allow unprivileged users to gain access to and execute certain functions. We have already fixed the vulnerabilities in the following versions: