QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
- Post-Authentication Reflected XSS Vulnerability in Q’center (ID: QSA-21-20)
- Command Injection Vulnerability in Video Station (ID: QSA-21-21)
- DOM-Based XSS Vulnerability in QTS and QuTS hero (ID:QSA-21-22)
Post-Authentication Reflected XSS Vulnerability in Q’center
Release date: June 3, 2021
Security ID: QSA-21-20
Severity: High
CVE identifier: CVE-2021-28807
Affected products: QNAP NAS running Q’center
Summary
A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of Q’center:
- QTS 4.5.3: Q’center v1.12.1012 and later
- QTS 4.3.6: Q’center v1.10.1004 and later
- QTS 4.3.3: Q’center v1.10.1004 and later
- QuTS hero h4.5.2: Q’center v1.12.1012 and later
- QuTScloud c4.5.4: Q’center v1.12.1012 and later
Command Injection Vulnerability in Video Station
Release date: June 3, 2021
Security ID: QSA-21-21
Severity: High
CVE identifier: CVE-2021-28812
Affected products: QNAP NAS running Video Station
Summary
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.
We have already fixed the issue in the following versions:
- QTS 4.5.2: Video Station 5.5.4 and later
- QuTS hero h4.5.2: Video Station 5.5.4 and later
- QuTScloud c4.5.4: Video Station 5.5.4 and later
QNAP NAS running the following versions are not affected:
- QTS 4.3.6: Video Station 5.3.11 and later
- QTS 4.3.3: Video Station 5.1.6 and later
DOM-Based XSS Vulnerability in QTS and QuTS hero
Release date: June 3, 2021
Security ID: QSA-21-22
Severity: Medium
CVE identifier: CVE-2021-28806
Affected products: Certain QNAP NAS
Summary
A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.
We have already fixed this vulnerability in the following versions:
- QTS 4.5.3.1652 Build 20210428 and later
- QuTS hero h4.5.2.1638 Build 20210414 and later
- QuTScloud c4.5.5.1656 Build 20210503 and later
QNAP NAS running QTS 4.3.6 and QTS 4.3.3 are not affected.
If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/