QNAP Security Advisory<br/>Post-Authentication Reflected XSS Vulnerability in Q’center<br/>Command Injection Vulnerability in Video Station<br/>DOM-Based XSS Vulnerability in QTS and QuTS hero

QNAP Security Advisory
Post-Authentication Reflected XSS Vulnerability in Q’center
Command Injection Vulnerability in Video Station
DOM-Based XSS Vulnerability in QTS and QuTS hero

  • Post comments:0 Comments
  • Reading time:2 mins read

QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:


Post-Authentication Reflected XSS Vulnerability in Q’center

Release date: June 3, 2021
Security ID: QSA-21-20
Severity: High
CVE identifier: CVE-2021-28807
Affected products: QNAP NAS running Q’center

Summary

A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions of Q’center:

  • QTS 4.5.3: Q’center v1.12.1012 and later
  • QTS 4.3.6: Q’center v1.10.1004 and later
  • QTS 4.3.3: Q’center v1.10.1004 and later
  • QuTS hero h4.5.2: Q’center v1.12.1012 and later
  • QuTScloud c4.5.4: Q’center v1.12.1012 and later

<<Learn more>>


Command Injection Vulnerability in Video Station

Release date: June 3, 2021
Security ID: QSA-21-21
Severity: High
CVE identifier: CVE-2021-28812
Affected products: QNAP NAS running Video Station

Summary

A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.

We have already fixed the issue in the following versions:

  • QTS 4.5.2: Video Station 5.5.4 and later
  • QuTS hero h4.5.2: Video Station 5.5.4 and later
  • QuTScloud c4.5.4: Video Station 5.5.4 and later

QNAP NAS running the following versions are not affected:

  • QTS 4.3.6: Video Station 5.3.11 and later
  • QTS 4.3.3: Video Station 5.1.6 and later

<<Learn more>>


DOM-Based XSS Vulnerability in QTS and QuTS hero

Release date: June 3, 2021
Security ID: QSA-21-22
Severity: Medium
CVE identifier: CVE-2021-28806
Affected products: Certain QNAP NAS

Summary

A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.

We have already fixed this vulnerability in the following versions:

  • QTS 4.5.3.1652 Build 20210428 and later
  • QuTS hero h4.5.2.1638 Build 20210414 and later
  • QuTScloud c4.5.5.1656 Build 20210503 and later

QNAP NAS running QTS 4.3.6 and QTS 4.3.3 are not affected.

<<Learn more>>

If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/

Leave a Reply