QNAP QTS: CVE-2024-48868: Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024)

Multiple vulnerabilities have been reported to affect certain QNAP operating system versions: CVE-2024-48859: If exploited, the improper authentication vulnerability could allow remote attackers to compromise the security of the system. CVE-2024-48865: If exploited, the improper certificate validation vulnerability could allow attackers with local network access to compromise the security of the system. CVE-2024-48866: If exploited, the improper handling of URL encoding (hex encoding) vulnerability could allow remote attackers to cause the system to go into an unexpected state. CVE-2024-48867, CVE-2024-48868: If exploited, the improper neutralization of CRLF sequences ("CRLF injection") vulnerabilities could allow remote attackers to modify application data. CVE-2024-50393: If exploited, the command injection vulnerability could allow remote attackers to execute arbitrary commands. CVE-2024-50402, CVE-2024-50403: If exploited, the use of externally-controlled format string vulnerabilities could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the vulnerabilities in the following versions: