=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2024/VULN019
_____________________________________________________________________

DATE                : 09/01/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QuMagie versions prior to 2.2.1.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-23-23
_____________________________________________________________________

Security ID : QSA-23-23
Multiple Vulnerabilities in QuMagie

     Release date : January 6, 2024

     CVE identifier : CVE-2023-47559 | CVE-2023-47560

     Affected products: QuMagie 2.2.x

Severity
High

Status
Resolved


Summary

Two vulnerabilities have been reported to affect QuMagie:

     CVE-2023-47559: If exploited, the cross-site scripting (XSS)
vulnerability could allow authenticated users to inject malicious code
via a network.
     CVE-2023-47560: If exploited, the OS command injection vulnerability
could allow authenticated users to execute commands via a network.


We have already fixed the vulnerabilities in the following version:
Affected Product     Fixed Version
QuMagie 2.2.x        QuMagie 2.2.1 and later


Recommendation

To fix the vulnerabilities, we recommend updating QuMagie to the
latest version.


Updating QuMagie

     Log on to QTS or QuTS hero as an administrator.
     Open App Center and then click .
     A search box appears.
     Type "QuMagie" and then press ENTER.
     QuMagie appears in the search results.
     Click Update.
     A confirmation message appears.
     Note: The Update button is not available if your QuMagie is
already up to date.
     Click OK.
     The system updates the application.

   Attachment

     CVE-2023-47559.json
     CVE-2023-47560.json

Acknowledgements: lebr0nli (Alan Li), working with DEVCORE
Internship Program

Revision History:
V1.0 (January 06, 2024) - Published

_____________________________________________________________________


Security ID : QSA-23-32
Vulnerability in QuMagie

     Release date : January 6, 2024

     CVE identifier : CVE-2023-47219

     Affected products: QuMagie 2.2.x

Severity
Low

Status
Resolved


Summary

An SQL injection vulnerability has been reported to affect QuMagie.
If exploited, the vulnerability could allow authenticated users to
inject malicious code via a network.

   We have already fixed the vulnerability in the following version:

Affected Product       Fixed Version
QuMagie 2.2.x          QuMagie 2.2.1 and later


Recommendation

To fix the vulnerability, we recommend updating QuMagie to the
latest version.


Updating QuMagie

     Log on to QTS or QuTS hero as an administrator.
     Open App Center and then click .
     A search box appears.
     Type "QuMagie" and then press ENTER.
     QuMagie appears in the search results.
     Click Update.
     A confirmation message appears.
     Note: The Update button is not available if your QuMagie is
already up to date.
     Click OK.
     The system updates the application.

   Attachment

     CVE-2023-47219.json

Revision History:
V1.0 (January 06, 2024) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================