Critical Vulnerabilities in QNAP Notes Station 3: Update Now to Protect Your Data

QNAP has issued a security advisory regarding multiple critical vulnerabilities in Notes Station 3, a popular application for managing and sharing notes on QNAP devices. These vulnerabilities, with CVSS scores ranging from 8.4 to 9.4, could expose systems to unauthorized access, data theft, and remote command execution if left unpatched.

The advisory highlights four significant security flaws affecting Notes Station 3 version 3.9.x:

1. CVE-2024-38643 (CVSS 9.3): A missing authentication for critical function vulnerability. If exploited, this could allow remote attackers to gain unauthorized system access.
2. CVE-2024-38644 (CVSS 8.7): A command injection vulnerability. Attackers with user access could execute arbitrary commands on the system.
3. CVE-2024-38645 (CVSS 9.4): A server-side request forgery (SSRF) vulnerability. This flaw could enable attackers with user access to read application data.
4. CVE-2024-38646 (CVSS 8.4): An incorrect permission assignment for critical resources. Local attackers with administrator access could gain unauthorized access to sensitive data.

The vulnerabilities could be exploited by remote or local attackers, leading to a range of potential impacts:

• Unauthorized system access
• Execution of arbitrary commands
• Exposure of application data
• Unauthorized access to critical resources

With CVSS scores above 8.0 for all vulnerabilities, these flaws pose significant risks to both personal and enterprise environments.

These vulnerabilities affect Notes Station 3 version 3.9.x. Users are advised to check their application version and apply the recommended updates immediately.

The vulnerabilities have been addressed in Notes Station 3 version 3.9.7 and later. To update Notes Station 3:

1. Log on to QTS or QuTS hero as an administrator.
2. Open App Center and then click  .
   A search box appears.
3. Type “Notes Station 3” and then press ENTER.
   Notes Station 3 appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your Notes Station 3 is already up to date.
5. Click OK.
   The application is updated.

Related Posts:

• Synology Surveillance Station Vulnerabilities Expose Systems to Attack – Update Immediately
• Kaspersky Lab: software vulnerabilities put over 1,000 gas stations around the world at risk
• Russia gas station equipment infected with malware, hacking illegally hundreds of millions of rubles
• EV Fast Chargers Vulnerable to Remote Hacking, Study Finds