QNAP Security Advisory Bulletin ID: QSA-21-20 & QSA-21-21 & QSA-21-22

You are currently viewing QNAP Security Advisory<br/>Post-Authentication Reflected XSS Vulnerability in Q’center<br/>Command Injection Vulnerability in Video Station<br/>DOM-Based XSS Vulnerability in QTS and QuTS hero

QNAP Security Advisory
Post-Authentication Reflected XSS Vulnerability in Q’center
Command Injection Vulnerability in Video Station
DOM-Based XSS Vulnerability in QTS and QuTS hero

Post published:04/06/2021
Reading time:6 mins read

QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:

Post-Authentication Reflected XSS Vulnerability in Q’center

Release date: June 3, 2021
Security ID: QSA-21-20
Severity: High
CVE identifier: CVE-2021-28807
Affected products: QNAP NAS running Q’center

Summary

A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions of Q’center:

QTS 4.5.3: Q’center v1.12.1012 and later
QTS 4.3.6: Q’center v1.10.1004 and later
QTS 4.3.3: Q’center v1.10.1004 and later
QuTS hero h4.5.2: Q’center v1.12.1012 and later
QuTScloud c4.5.4: Q’center v1.12.1012 and later

<<Learn more>>

Command Injection Vulnerability in Video Station

Release date: June 3, 2021
Security ID: QSA-21-21
Severity: High
CVE identifier: CVE-2021-28812
Affected products: QNAP NAS running Video Station

Summary

A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.

We have already fixed the issue in the following versions:

QTS 4.5.2: Video Station 5.5.4 and later
QuTS hero h4.5.2: Video Station 5.5.4 and later
QuTScloud c4.5.4: Video Station 5.5.4 and later

QNAP NAS running the following versions are not affected:

QTS 4.3.6: Video Station 5.3.11 and later
QTS 4.3.3: Video Station 5.1.6 and later

<<Learn more>>

DOM-Based XSS Vulnerability in QTS and QuTS hero

Release date: June 3, 2021
Security ID: QSA-21-22
Severity: Medium
CVE identifier: CVE-2021-28806
Affected products: Certain QNAP NAS

Summary

A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.

We have already fixed this vulnerability in the following versions:

QTS 4.5.3.1652 Build 20210428 and later
QuTS hero h4.5.2.1638 Build 20210414 and later
QuTScloud c4.5.5.1656 Build 20210503 and later

QNAP NAS running QTS 4.3.6 and QTS 4.3.3 are not affected.

<<Learn more>>

If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/

New Zealand's only Dedicated QNAP Retailer

QNAP Security Advisory
Post-Authentication Reflected XSS Vulnerability in Q’center
Command Injection Vulnerability in Video Station
DOM-Based XSS Vulnerability in QTS and QuTS hero

Post-Authentication Reflected XSS Vulnerability in Q’center

Command Injection Vulnerability in Video Station

DOM-Based XSS Vulnerability in QTS and QuTS hero

My Account

Information

About Us

Follow Us

Contact Us

New Zealand's only Dedicated QNAP Retailer

Post-Authentication Reflected XSS Vulnerability in Q’center

Command Injection Vulnerability in Video Station

DOM-Based XSS Vulnerability in QTS and QuTS hero

You Might Also Like

Cloud Backup for Your QNAP NAS

QNAP Supports JumpCloud’s Directory-as-a-Service for Simplified User Management and Authentication

Easily Save Web Pages to Your NAS Using the Notes Station 3 Clipper

My Account

Information

About Us

Follow Us

Contact Us