OpenCVE

A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: Notes Station 3 3.9.6 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Qnap	Notes Station 3

Configuration 1 [-]

cpe:2.3:a:qnap:notes_station_3:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-24-21

History

Fri, 13 Sep 2024 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Qnap Qnap notes Station 3
CPEs		cpe:2.3:a:qnap:notes_station_3::::::::
Vendors & Products		Qnap Qnap notes Station 3

Fri, 06 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Sep 2024 16:45:00 +0000

Type	Values Removed	Values Added
Description		A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: Notes Station 3 3.9.6 and later
Title		Notes Station 3
Weaknesses		CWE-79
References		https://www.qnap.com/en/security-advisory/qsa-24-21
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2024-09-06T16:26:32.362Z

Updated: 2024-09-06T17:27:22.814Z

Reserved: 2024-02-20T09:36:58.211Z

Link: CVE-2024-27122

Vulnrichment

Updated: 2024-09-06T17:27:19.337Z

NVD

Status : Analyzed

Published: 2024-09-06T17:15:14.723

Modified: 2024-09-13T21:16:26.670

Link: CVE-2024-27122

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27122", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2024-02-20T09:36:58.211Z", "datePublished": "2024-09-06T16:26:32.362Z", "dateUpdated": "2024-09-06T17:27:22.814Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Notes Station 3", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "3.9.6", "status": "affected", "version": "3.9.x", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>Notes Station 3 3.9.6 and later<br>"}], "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-09-06T16:26:32.362Z"}, "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-21"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>Notes Station 3 3.9.6 and later<br>"}], "value": "We have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later"}], "source": {"advisory": "QSA-24-21", "discovery": "EXTERNAL"}, "title": "Notes Station 3", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-06T17:27:16.247409Z", "id": "CVE-2024-27122", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:27:22.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27122", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-06T17:27:16.247409Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T17:27:19.337Z"}}], "cna": {"title": "Notes Station 3", "source": {"advisory": "QSA-24-21", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "Notes Station 3", "versions": [{"status": "affected", "version": "3.9.x", "lessThan": "3.9.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following versions:<br>Notes Station 3 3.9.6 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-24-21"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later", "supportingMedia": [{"type": "text/html", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.<br><br>We have already fixed the vulnerability in the following versions:<br>Notes Station 3 3.9.6 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2024-09-06T16:26:32.362Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27122", "state": "PUBLISHED", "dateUpdated": "2024-09-06T17:27:22.814Z", "dateReserved": "2024-02-20T09:36:58.211Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2024-09-06T16:26:32.362Z", "assignerShortName": "qnap"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:notes_station_3:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF0DD09E-D97F-492D-8B14-4798E6DED5AC", "versionEndExcluding": "3.3.9.6", "versionStartIncluding": "3.3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following versions:\nNotes Station 3 3.9.6 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de cross site scripting (XSS) que afecta a Notes Station 3. Si se explota, la vulnerabilidad podr\u00eda permitir que los usuarios autenticados inyecten c\u00f3digo malicioso a trav\u00e9s de una red. Ya hemos corregido la vulnerabilidad en las siguientes versiones: Notes Station 3 3.9.6 y posteriores"}], "id": "CVE-2024-27122", "lastModified": "2024-09-13T21:16:26.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2024-09-06T17:15:14.723", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-24-21"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}