Aliz Hammond

**Name of the Vulnerable Software and Affected Versions** NetScaler ADC versions prior to 14.1-60.58 NetScaler Gateway versions prior to 13.1-662.23 **Description** Insufficient input validation in the SAML processing module of NetScaler ADC and NetScaler Gateway, when configured as a SAML Identity Provider (IdP), leads to an out-of-bounds memory read. An unauthenticated remote attacker can exploit this by sending specially crafted SAML authentication requests with a malformed `AttributeValue` length. This causes the parser to read past the input buffer into the system's heap memory, potentially leaking sensitive data such as active session tokens, administrative credentials, plaintext cookies, and private cryptographic keys. This leak occurs during the pre-authentication phase, allowing attackers to bypass Multi-Factor Authentication (MFA) and hijack live user sessions. Approximately 30,000 instances are estimated to be internet-exposed globally. Real-world exploitation has been observed, including reconnaissance and active harvesting of tokens by threat actors. **Recommendations** Update NetScaler ADC to version 14.1-60.58 or later. Update NetScaler Gateway to version 13.1-662.23 or later. Perform a full reboot of the appliance after patching to clear the memory space. Terminate all active user sessions to invalidate any previously stolen tokens. Use the `flush cache` command to remove malicious SAML data. Rotate private keys used for SAML signing if a breach is suspected. As a temporary mitigation, restrict or disable the SAML IdP configuration if not strictly required.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 5.1.8.2823 build 20240712 QNAP QuTS hero versions prior to h5.1.8.2823 build 20240712 **Description** A buffer copy without checking size of input issue has been reported to affect several QNAP operating system versions. If exploited, the issue could allow authenticated users to execute code via a network. **Recommendations** For QNAP QTS versions prior to 5.1.8.2823 build 20240712, update to QTS 5.1.8.2823 build 20240712 or later. For QNAP QuTS hero versions prior to h5.1.8.2823 build 20240712, update to QuTS hero h5.1.8.2823 build 20240712 or later.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 5.2.0.2782 build 20240601 QNAP QuTS hero versions prior to h5.2.0.2782 build 20240601 **Description** An improper restriction of excessive authentication attempts issue has been reported to affect several QNAP operating system versions. If exploited, the issue could allow local network authenticated administrators to perform an arbitrary number of authentication attempts via unspecified vectors. QuTScloud is not affected. **Recommendations** For QNAP QTS versions prior to 5.2.0.2782 build 20240601, update to QTS 5.2.0.2782 build 20240601 or later. For QNAP QuTS hero versions prior to h5.2.0.2782 build 20240601, update to QuTS hero h5.2.0.2782 build 20240601 or later.

**Name of the Vulnerable Software and Affected Versions** QuLog Center versions prior to 1.8.0.872 QuLog Center versions prior to 1.7.0.827 **Description** A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If exploited, the vulnerability could allow users to inject malicious code via a network. **Recommendations** For QuLog Center versions prior to 1.8.0.872, update to version 1.8.0.872 or later. For QuLog Center versions prior to 1.7.0.827, update to version 1.7.0.827 or later.

Name of the Vulnerable Software and Affected Versions: QNAP QTS versions prior to 5.1.7.2770 build 20240520 QNAP QuTS hero versions prior to h5.1.7.2770 build 20240520 Description: A buffer copy without checking the size of input issue has been reported, potentially allowing authenticated users to execute code via a network. This could be exploited by remote attackers. Recommendations: For QNAP QTS versions prior to 5.1.7.2770 build 20240520, update to QTS 5.1.7.2770 build 20240520 or later. For QNAP QuTS hero versions prior to h5.1.7.2770 build 20240520, update to QuTS hero h5.1.7.2770 build 20240520 or later.

Name of the Vulnerable Software and Affected Versions: QTS versions prior to 5.1.7.2770 build 20240520 QuTS hero versions prior to h5.1.7.2770 build 20240520 Description: The issue is related to an incorrect permission assignment for a critical resource in QNAP operating systems, which could allow authenticated users to read or modify the resource via a network. This could potentially enable remote execution of arbitrary code. Recommendations: For QTS versions prior to 5.1.7.2770 build 20240520, update to QTS 5.1.7.2770 build 20240520 or later. For QuTS hero versions prior to h5.1.7.2770 build 20240520, update to QuTS hero h5.1.7.2770 build 20240520 or later.

Name of the Vulnerable Software and Affected Versions: QTS versions prior to 5.1.7.2770 build 20240520 QuTS hero versions prior to h5.1.7.2770 build 20240520 Description: A buffer copy without checking the size of input issue has been reported to affect several QNAP operating system versions. If exploited, the issue could allow authenticated users to execute code via a network. Recommendations: For QTS versions prior to 5.1.7.2770 build 20240520, update to QTS 5.1.7.2770 build 20240520 or later. For QuTS hero versions prior to h5.1.7.2770 build 20240520, update to QuTS hero h5.1.7.2770 build 20240520 or later.

Name of the Vulnerable Software and Affected Versions: QTS versions prior to 5.1.7.2770 build 20240520 QuTS hero versions prior to h5.1.7.2770 build 20240520 Description: A double free vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute arbitrary code via a network. Recommendations: For QTS versions prior to 5.1.7.2770 build 20240520, update to version 5.1.7.2770 build 20240520 or later. For QuTS hero versions prior to h5.1.7.2770 build 20240520, update to version h5.1.7.2770 build 20240520 or later.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 5.1.6.2722 build 20240402 QNAP QuTS hero versions prior to h5.1.6.2734 build 20240414 **Description** An incorrect authorization issue has been reported, affecting several QNAP operating system versions. If exploited, this could allow authenticated users to bypass intended access restrictions via a network. **Recommendations** For QNAP QTS versions prior to 5.1.6.2722 build 20240402, update to QTS 5.1.6.2722 build 20240402 or later. For QNAP QuTS hero versions prior to h5.1.6.2734 build 20240414, update to QuTS hero h5.1.6.2734 build 20240414 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 5.1.6.2722 build 20240402 QuTS hero versions prior to h5.1.6.2734 build 20240414 **Description** The issue is caused by a buffer copy without checking the size of input, which may allow authenticated users to execute code via a network. This could potentially impact the integrity of data. **Recommendations** For QTS versions prior to 5.1.6.2722 build 20240402, update to QTS 5.1.6.2722 build 20240402 or later. For QuTS hero versions prior to h5.1.6.2734 build 20240414, update to QuTS hero h5.1.6.2734 build 20240414 or later. As a temporary workaround, consider restricting network access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 5.1.6.2722 build 20240402 QuTS hero versions prior to h5.1.6.2734 build 20240414 **Description** The issue is caused by a buffer copy without checking the size of the input, which may allow authenticated users to execute code via a network. This could potentially impact the integrity of protected information. **Recommendations** For QTS versions prior to 5.1.6.2722 build 20240402, update to QTS 5.1.6.2722 build 20240402 or later. For QuTS hero versions prior to h5.1.6.2734 build 20240414, update to QuTS hero h5.1.6.2734 build 20240414 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 5.1.6.2722 build 20240402 QuTS hero versions prior to h5.1.6.2734 build 20240414 **Description** The issue is caused by a buffer copy without checking the size of the input, which can lead to a buffer overflow on the stack. This allows a remote attacker to execute arbitrary code. If exploited, the issue could allow authenticated users to execute code via a network. **Recommendations** For QTS versions prior to 5.1.6.2722 build 20240402, update to QTS 5.1.6.2722 build 20240402 or later. For QuTS hero versions prior to h5.1.6.2734 build 20240414, update to QuTS hero h5.1.6.2734 build 20240414 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 5.1.7.2770 build 20240520 QuTS hero versions prior to h5.1.7.2770 build 20240520 **Description** The issue is related to a buffer copy without checking the size of the input, which can lead to a stack overflow. This allows remote-code execution on QNAP devices. The vulnerability is associated with the `get file size` function in the `share.cgi` file. It is estimated that over 3 million devices may be affected. The vulnerability has been exploited in real-world incidents, with a proof-of-concept (PoC) exploit available. Technical details about exploitation include the use of a string parameter that triggers the overflow, making exploitation more complex due to the inability to add null bytes to the payload. **Recommendations** For QTS versions prior to 5.1.7.2770 build 20240520, update to QTS 5.1.7.2770 build 20240520 or later. For QuTS hero versions prior to h5.1.7.2770 build 20240520, update to QuTS hero h5.1.7.2770 build 20240520 or later. As a temporary workaround, consider restricting access to the vulnerable `share.cgi` file until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OpenAM versions prior to 14.6.6 **Description** The NT auth module in OpenAM allows a "replace Samba username attack." This issue may potentially be exploited to bypass authentication mechanisms. **Recommendations** For versions prior to 14.6.6, update to version 14.6.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the NT auth module until a patch is applied.