Qnap Security Advisory Bulletin ID: QSA-21-61 and QSA-21-63
Concerning vulnerability in QVPN service and reflected XSS vulnerability in TFTP server
This is a Press Release edited by StorageNewsletter.com on January 11, 2022 at 2:01 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
Vulnerability in QVPN service
Release date: January 7, 2022
Security ID: QSA-21-61
Severity: High
Affected products: Qnap NAS running QVPN service
Summary
A vulnerability has been reported to affect Qnap NAS running QVPN Service 3.x. If exploited, the vulnerability allows attackers to run arbitrary code in the system.
The company have already fixed the vulnerability in following versions of QVPN Service:
-
QVPN Service 3.0.760 (2021/12/17) and later
Reflected XSS vulnerability in TFTP server
Release date: January 7, 2022
Security ID: QSA-21-63
Severity: Medium
CVE identifier: CVE-2021-38674
Affected products: Certain Qnap NAS
Summary
A reflected cross-site scripting (XSS) vulnerability has been reported to affect TFTP Server in QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code.
The company have already fixed this vulnerability in following versions of QTS, QuTS hero, and QuTScloud:
-
QTS 4.5.4.1787 build 20210910 and later
-
QuTS hero h4.5.4.1771 build 20210825 and later
-
QuTScloud c4.5.7.1864 and later