A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later
The vulnerability results from the lack of a required authentication mechanism when accessing specific critical functions of the myQNAPcloud Link application. An attacker can, without possessing any credentials, invoke these functions over the network. The associated CWE vectors also indicate issues with request source verification (CWE-346) and exposure of functions that should be inaccessible from the outside (CWE-749). The broad scope of impact (Scope: Changed) suggests that exploitation may affect resources beyond the application itself.
An attacker can gain unauthorized access to protected application functions, which may lead to data modification or deletion (high integrity impact), as well as partial information disclosure (low confidentiality impact) and service availability degradation.
Update myQNAPcloud Link to version 2.4.51 or later. A patch is available from the vendor — details in QNAP security bulletin QSA-24-09 at https://www.qnap.com/en/security-advisory/qsa-24-09
QNAP myQNAPcloud Link — all versions prior to 2.4.51
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:LQnap Myqnapcloud Link
APPQnap2.4.0 – 2.4.51 (bez)
Related vulnerabilities
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If ex...
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Ph...
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync...
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerabil...
If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNA...