=====================================================================

                              CERT-Renater

                    Note d'Information No. 2023/VULN413

_____________________________________________________________________

DATE                : 18/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Qnap versions prior to
                               5.7.0 (2023/07/27).

=====================================================================
https://www.qnap.com/en/security-advisory/qsa-23-52
_____________________________________________________________________


Security ID : QSA-23-52
Vulnerabilities in Video Station

     Release date : October 14, 2023

     CVE identifier : CVE-2023-34975 | CVE-2023-34976 | CVE-2023-34977

     Affected products: Video Station 5.7.x

Severity
High

Status
Resolved


Summary

Three vulnerabilities have been reported to affect Video Station:

     CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities
     CVE-2023-34977: Cross-site scripting (XSS) vulnerability

If exploited, these vulnerabilities could allow authenticated users
to inject malicious code via a network.

We have already fixed the vulnerability in the following version:

Affected Product        Fixed Version
Video Station 5.7.x     Video Station 5.7.0 (2023/07/27) and later


Recommendation

To fix the vulnerability, we recommend updating Video Station to
the latest version.


Updating Video Station

     Log on to QTS or QuTS hero as administrator.
     Open the App Center and then click .
     A search box appears.
     Type "Video Station" and then press ENTER.
     Video Station appears in the search results.
     Click Update.
     A confirmation message appears.
     Note: The Update button is not available if your Video Station
       is already up to date.
     Click OK.
     The application is updated.

Attachment

     CVE-2023-34975.json
     CVE-2023-34976.json
     CVE-2023-34977.json


Acknowledgements: Kaibro


Revision History:
V1.0 (October 14, 2023) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================