Authorization bypass through user-controlled key in QNAP Media Streaming Add-on
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-50395 |
| CWE-ID | CWE-639 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Media Streaming add-on Web applications / Modules and components for CMS |
| Vendor | QNAP Systems, Inc. |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Authorization bypass through user-controlled key
EUVDB-ID: #VU100888
Risk: Medium
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2024-50395
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to bypass authentication process.
The vulnerability exists due to authorization bypass through user-controlled key. A remote user can gain elevated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMedia Streaming add-on: before 500.1.1.6
CPE2.3 External linkshttps://www.qnap.com/en/security-advisory/qsa-24-47
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
