Cross-Site Scripting Vulnerability in QNAP Photo Station Software
CVE-2024-12923

2LOW

Key Information:

Vendor: QNAP
Status: Photo Station
Vendor: CVE Published:; 29 August 2025

What is CVE-2024-12923?

A cross-site scripting vulnerability has been discovered in QNAP's Photo Station, allowing unauthorized remote attackers to exploit user accounts. This exploitation enables attackers to bypass essential security mechanisms and potentially access sensitive application data. The issue has been addressed in Photo Station version 6.4.5 and later, released on January 2, 2025. Users are strongly encouraged to update their software to mitigate risks.

Affected Version(s)

Photo Station 6.4.x < 6.4.5 ( 2025/01/02 )

References

https://www.qnap.com/en/security-advisory/qsa-25-24

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 29, 2025
Vulnerability Reserved
Dec 25, 2024

Credit

Searat and izut