Security ID : QSA-24-36
Multiple Vulnerabilities in Notes Station 3
Release date : November 23, 2024
CVE identifier : CVE-2024-38643 | CVE-2024-38644 | CVE-2024-38645 | CVE-2024-38646
Affected products: Notes Station 3 version 3.9.x
Severity
Important
Status
Resolved
Summary
Multiple vulnerabilities have been reported to affect Notes Station 3:
- CVE-2024-38643: If exploited, the missing authentication for critical function vulnerability could allow remote attackers to gain access to the system.
- CVE-2024-38644: If exploited, the command injection vulnerability could allow remote attackers who have gained user access to execute arbitrary commands.
- CVE-2024-38645: If exploited, the server-side request forgery (SSRF) vulnerability could allow remote attackers who have gained user access to read application data.
- CVE-2024-38646: If exploited, the incorrect permission assignment for critical resource vulnerability could allow local attackers who have gained administrator access to gain unauthorized access to data.
We have already fixed the vulnerabilities in the following version:
| Affected Product | Fixed Version |
| Notes Station 3 version 3.9.x | Notes Station 3 version 3.9.7 and later |
Recommendation
To fix the vulnerabilities, we recommend updating Notes Station 3 to the latest version.
Updating Notes Station 3
- Log on to QTS or QuTS hero as an administrator.
- Open App Center and then click
.
A search box appears. - Type "Notes Station 3" and then press ENTER.
Notes Station 3 appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Notes Station 3 is already up to date. - Click OK.
The application is updated.
Attachment
Acknowledgements: Thomas Fady
Revision History:
V1.0 (November 23, 2024) - Published
