Qnap Security Advisory Bulletin ID: QSA-21-20, QSA-21-21 and QSA-21-22
Concerning post-authentication reflected XSS vulnerability in Q'center, command injection vulnerability in video station, and DOM-based XSS vulnerability in QTS and QuTS hero
This is a Press Release edited by StorageNewsletter.com on June 7, 2021 at 2:31 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s NAS products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
-
Post-Authentication Reflected XSS Vulnerability in Q’center (ID: QSA-21-20)
-
Command Injection Vulnerability in Video Station (ID: QSA-21-21)
-
DOM-Based XSS Vulnerability in QTS and QuTS hero (ID:QSA-21-22)
Post-Authentication reflected XSS vulnerability in Q’center
Release date: June 3, 2021
Security ID: QSA-21-20
Severity: High
CVE identifier: CVE-2021-28807
Affected products: Qnap NAS running Q’center
Summary
A post-authentication reflected XSS vulnerability has been reported to affect Qnap NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code.
Company have already fixed this vulnerability in following versions of Q’center:
-
QTS 4.5.3: Q’center v1.12.1012 and later
-
QTS 4.3.6: Q’center v1.10.1004 and later
-
QTS 4.3.3: Q’center v1.10.1004 and later
-
QuTS hero h4.5.2: Q’center v1.12.1012 and later
-
QuTScloud c4.5.4: Q’center v1.12.1012 and later
Command injection vulnerability in Video Station
Release date: June 3, 2021
Security ID: QSA-21-21
Severity: High
CVE identifier: CVE-2021-28812
Affected products: Qnap NAS running Video Station
Summary
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.
Company have already fixed the issue in following versions:
-
QTS 4.5.2: Video Station 5.5.4 and later
-
QuTS hero h4.5.2: Video Station 5.5.4 and later
-
QuTScloud c4.5.4: Video Station 5.5.4 and later
Qnap NAS running following versions are not affected:
-
QTS 4.3.6: Video Station 5.3.11 and later
-
QTS 4.3.3: Video Station 5.1.6 and later
DOM-Based XSS vulnerability in QTS and QuTS hero
Release date: June 3, 2021
Security ID: QSA-21-22
Severity: Medium
CVE identifier: CVE-2021-28806
Affected products: Certain Qnap NAS
Summary
A DOM-based XSS vulnerability has been reported to affect NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.
Company have already fixed this vulnerability in following versions:
-
QTS 4.5.3.1652 Build 20210428 and later
-
QuTS hero h4.5.2.1638 Build 20210414 and later
-
QuTScloud c4.5.5.1656 Build 20210503 and later
Qnap NAS running QTS 4.3.6 and QTS 4.3.3 are not affected.
Questions regarding this issue: contact