What are you looking for ?
Advertise with us
Advertise with us

Qnap Security Advisory Bulletin ID: QSA-21-20, QSA-21-21 and QSA-21-22

Concerning post-authentication reflected XSS vulnerability in Q'center, command injection vulnerability in video station, and DOM-based XSS vulnerability in QTS and QuTS hero

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s NAS products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Advisory includes following:

Post-Authentication reflected XSS vulnerability in Q’center
Release date: June 3, 2021
Security ID: QSA-21-20
Severity: High
CVE identifier: CVE-2021-28807
Affected products: Qnap NAS running Q’center

Summary
A post-authentication reflected XSS vulnerability has been reported to affect Qnap NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code.

Company have already fixed this vulnerability in following versions of Q’center:

  • QTS 4.5.3: Q’center v1.12.1012 and later

  • QTS 4.3.6: Q’center v1.10.1004 and later

  • QTS 4.3.3: Q’center v1.10.1004 and later

  • QuTS hero h4.5.2: Q’center v1.12.1012 and later

  • QuTScloud c4.5.4: Q’center v1.12.1012 and later

More informations link

Command injection vulnerability in Video Station
Release date: June 3, 2021
Security ID: QSA-21-21
Severity: High
CVE identifier: CVE-2021-28812
Affected products: Qnap NAS running Video Station

Summary
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.

Company have already fixed the issue in following versions:

  • QTS 4.5.2: Video Station 5.5.4 and later

  • QuTS hero h4.5.2: Video Station 5.5.4 and later

  • QuTScloud c4.5.4: Video Station 5.5.4 and later

Qnap NAS running following versions are not affected:

  • QTS 4.3.6: Video Station 5.3.11 and later

  • QTS 4.3.3: Video Station 5.1.6 and later

More informations link

DOM-Based XSS vulnerability in QTS and QuTS hero
Release date: June 3, 2021
Security ID: QSA-21-22
Severity: Medium
CVE identifier: CVE-2021-28806
Affected products: Certain Qnap NAS

Summary
A DOM-based XSS vulnerability has been reported to affect NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.

Company have already fixed this vulnerability in following versions:

  • QTS 4.5.3.1652 Build 20210428 and later

  • QuTS hero h4.5.2.1638 Build 20210414 and later

  • QuTScloud c4.5.5.1656 Build 20210503 and later

Qnap NAS running QTS 4.3.6 and QTS 4.3.3 are not affected.

More informations link

Questions regarding this issue: contact

Read also :
Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E
RAIDON