Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-38643

Summary
Assigner-qnap
Assigner Org ID-2fd009eb-170a-4625-932b-17a53af1051f
Published At-22 Nov, 2024 | 15:32
Updated At-22 Nov, 2024 | 16:51
Rejected At-
Credits

Notes Station 3

A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:qnap
Assigner Org ID:2fd009eb-170a-4625-932b-17a53af1051f
Published At:22 Nov, 2024 | 15:32
Updated At:22 Nov, 2024 | 16:51
Rejected At:
▼CVE Numbering Authority (CNA)
Notes Station 3

A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later

Affected Products
Vendor
QNAP Systems, Inc.QNAP Systems Inc.
Product
Notes Station 3
Default Status
unaffected
Versions
Affected
  • From 3.9.x before 3.9.7 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-306CWE-306
Type: CWE
CWE ID: CWE-306
Description: CWE-306
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-115CAPEC-115
CAPEC ID: CAPEC-115
Description: CAPEC-115
Solutions

We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later

Configurations
Workarounds
Exploits
Credits
finder
Thomas Fady
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.qnap.com/en/security-advisory/qsa-24-36
N/A
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-24-36
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
QNAP Systems, Inc.qnap
Product
notes_station_3
CPEs
  • cpe:2.3:a:qnap:notes_station_3:-:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 3.9.0 before 3.9.7 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@qnapsecurity.com.tw
Published At:22 Nov, 2024 | 16:15
Updated At:22 Nov, 2024 | 16:15

A missing authentication for critical function vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote attackers to gain access to and execute certain functions. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-306Secondarysecurity@qnapsecurity.com.tw
CWE ID: CWE-306
Type: Secondary
Source: security@qnapsecurity.com.tw
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.qnap.com/en/security-advisory/qsa-24-36security@qnapsecurity.com.tw
N/A
Hyperlink: https://www.qnap.com/en/security-advisory/qsa-24-36
Source: security@qnapsecurity.com.tw
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2024-32764
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.06% / 18.95%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:00
Updated-02 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
myQNAPcloud Link

A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-myQNAPcloud Linkmyqnapcloud_link
CWE ID-CWE-749
Exposed Dangerous Method or Function
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-346
Origin Validation Error
CVE-2024-32765
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.03% / 5.88%
||
7 Day CHG~0.00%
Published-09 Aug, 2024 | 17:09
Updated-12 Aug, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QTS, QuTS hero

A vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow local authenticated administrators to gain access to and execute certain functions via unspecified vectors. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QuTS hero h5.1.8.2823 build 20240712 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuTS heroQTS
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-291
Reliance on IP Address for Authentication
CVE-2021-28809
Matching Score-6
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-6
Assigner-QNAP Systems, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 67.84%
||
7 Day CHG~0.00%
Published-08 Jul, 2021 | 07:40
Updated-17 Sep, 2024 | 00:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authentication for Critical Function in RTRR Server in HBS3

An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-hybrid_backup_syncqtsHBS 3
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-749
Exposed Dangerous Method or Function
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-40664
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-9.3||CRITICAL
EPSS-0.20% / 42.10%
||
7 Day CHG~0.00%
Published-26 May, 2025 | 12:47
Updated-28 May, 2025 | 15:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authentication vulnerability in TCMAN GIM v11

Missing authentication vulnerability in TCMAN GIM v11. This allows an unauthenticated attacker to access the resources /frmGestionUser.aspx/GetData, /frmGestionUser.aspx/updateUser and /frmGestionUser.aspx/DeleteUser.

Action-Not Available
Vendor-TCMAN
Product-GIM
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found