Search criteria
442 vulnerabilities found for QuTS hero by QNAP Systems Inc.
CVE-2022-27596 (GCVE-0-2022-27596)
Vulnerability from cvelistv5 – Published: 2023-01-30 01:13 – Updated: 2025-03-27 18:24
VLAI?
Title
Vulnerability in QTS
Summary
A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of QuTS hero, QTS:
QuTS hero h5.0.1.2248 build 20221215 and later
QTS 5.0.1.2234 build 20221201 and later
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTS hero |
Affected:
h5.0.1 , < h5.0.1.2248 build 20221215
(custom)
|
|||||||
|
|||||||||
Credits
huasheng_mangguo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:32:59.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:23:29.874086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:24:56.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2248 build 20221215",
"status": "affected",
"version": "h5.0.1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2234 build 20221201",
"status": "affected",
"version": "5.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "huasheng_mangguo"
}
],
"datePublic": "2023-01-30T09:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\u003cbr\u003eWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\u003cbr\u003eQuTS hero h5.0.1.2248 build 20221215 and later\u003cbr\u003eQTS 5.0.1.2234 build 20221201 and later\u003cbr\u003e"
}
],
"value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T01:04:37.338Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:\u003cbr\u003eQuTS hero h5.0.1.2248 build 20221215 and later\u003cbr\u003eQTS 5.0.1.2234 build 20221201 and later\u003cbr\u003e"
}
],
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"
}
],
"source": {
"advisory": "QSA-23-01",
"discovery": "EXTERNAL"
},
"title": "Vulnerability in QTS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27596",
"datePublished": "2023-01-30T01:13:47.317Z",
"dateReserved": "2022-03-21T22:02:33.326Z",
"dateUpdated": "2025-03-27T18:24:56.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44054 (GCVE-0-2021-44054)
Vulnerability from cvelistv5 – Published: 2022-05-05 16:50 – Updated: 2024-09-16 16:57
VLAI?
Title
Open redirect
Summary
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1949
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1949 build 20220215",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.1951 build 20220218",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:24.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Open redirect",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44054",
"STATE": "PUBLIC",
"TITLE": "Open redirect"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1949 build 20220215"
},
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1951 build 20220218"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44054",
"datePublished": "2022-05-05T16:50:24.966Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:57:37.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44053 (GCVE-0-2021-44053)
Vulnerability from cvelistv5 – Published: 2022-05-05 16:50 – Updated: 2024-09-16 19:31
VLAI?
Title
Reflected XSS
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later
Severity ?
5.7 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1991 build 20220329
(custom)
Affected: unspecified , < 5.0.0.1986 build 20220324 (custom) |
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.1971 build 20220310",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:23.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud:\nQTS 4.5.4.1991 build 20220329 and later\nQTS 5.0.0.1986 build 20220324 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTScloud c5.0.1.1949 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44053",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1971 build 20220310"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud:\nQTS 4.5.4.1991 build 20220329 and later\nQTS 5.0.0.1986 build 20220324 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTScloud c5.0.1.1949 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44053",
"datePublished": "2022-05-05T16:50:23.491Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:31:09.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44052 (GCVE-0-2021-44052)
Vulnerability from cvelistv5 – Published: 2022-05-05 16:50 – Updated: 2024-09-16 22:56
VLAI?
Title
Arbitrary file read
Summary
An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1998
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1998",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1971 build 20220310",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.3.4.1976 build 20220303",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.3.1945 build 20220303",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.2.6 build 20220304",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.6.1965 build 20220302",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper link resolution before file access (\u0027Link Following\u0027) vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:21.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS:\nQuTScloud c5.0.1.1998 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 4.3.4.1976 build 20220303 and later\nQTS 4.3.3.1945 build 20220303 and later\nQTS 4.2.6 build 20220304 and later\nQTS 4.3.6.1965 build 20220302 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Arbitrary file read",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44052",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file read"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1998"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1971 build 20220310"
},
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1986 build 20220324"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.4.1976 build 20220303"
},
{
"version_affected": "\u003c",
"version_value": "4.3.3.1945 build 20220303"
},
{
"version_affected": "\u003c",
"version_value": "4.2.6 build 20220304"
},
{
"version_affected": "\u003c",
"version_value": "4.3.6.1965 build 20220302"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper link resolution before file access (\u0027Link Following\u0027) vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS:\nQuTScloud c5.0.1.1998 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 4.3.4.1976 build 20220303 and later\nQTS 4.3.3.1945 build 20220303 and later\nQTS 4.2.6 build 20220304 and later\nQTS 4.3.6.1965 build 20220302 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44052",
"datePublished": "2022-05-05T16:50:22.030Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:12.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44051 (GCVE-0-2021-44051)
Vulnerability from cvelistv5 – Published: 2022-05-05 16:50 – Updated: 2024-09-16 17:43
VLAI?
Title
Command injection
Summary
A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1949
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:20.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 5.0.0.1986 build 20220324 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Command injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44051",
"STATE": "PUBLIC",
"TITLE": "Command injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1986 build 20220324"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 5.0.0.1986 build 20220324 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44051",
"datePublished": "2022-05-05T16:50:20.575Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:43:45.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38693 (GCVE-0-2021-38693)
Vulnerability from cvelistv5 – Published: 2022-05-05 16:50 – Updated: 2024-09-16 18:08
VLAI?
Title
Path Traversal in thttpd
Summary
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1949
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Giles, Guido and Simas, Iury from Thomson Reuters
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:19.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1949 build 20220215",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.1951 build 20220218",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Giles, Guido and Simas, Iury from Thomson Reuters"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:18.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-13"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-13",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in thttpd",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-38693",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in thttpd"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1949 build 20220215"
},
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1951 build 20220218"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Giles, Guido and Simas, Iury from Thomson Reuters"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-13",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-13"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-13",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-38693",
"datePublished": "2022-05-05T16:50:19.054Z",
"dateReserved": "2021-08-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:08:15.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38674 (GCVE-0-2021-38674)
Vulnerability from cvelistv5 – Published: 2022-01-07 01:15 – Updated: 2024-09-16 20:07
VLAI?
Title
Reflected XSS Vulnerability in TFTP
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later
Severity ?
4.2 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTS hero |
Affected:
unspecified , < h4.5.4.1771 build 20210825
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Tony Martin, a security researcher
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:19.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-63"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1787 build 20210910",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.7.1864",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Martin, a security researcher"
}
],
"datePublic": "2022-01-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-07T01:15:12.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-63"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS, QuTScloud:\nQuTS hero h4.5.4.1771 build 20210825 and later\nQTS 4.5.4.1787 build 20210910 and later\nQuTScloud c4.5.7.1864 and later"
}
],
"source": {
"advisory": "QSA-21-63",
"discovery": "EXTERNAL"
},
"title": "Reflected XSS Vulnerability in TFTP",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-01-06T23:07:00.000Z",
"ID": "CVE-2021-38674",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS Vulnerability in TFTP"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1787 build 20210910"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.7.1864"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tony Martin, a security researcher"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-63",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-63"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS, QuTScloud:\nQuTS hero h4.5.4.1771 build 20210825 and later\nQTS 4.5.4.1787 build 20210910 and later\nQuTScloud c4.5.7.1864 and later"
}
],
"source": {
"advisory": "QSA-21-63",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-38674",
"datePublished": "2022-01-07T01:15:12.605Z",
"dateReserved": "2021-08-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:07:25.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34343 (GCVE-0-2021-34343)
Vulnerability from cvelistv5 – Published: 2021-09-10 04:00 – Updated: 2024-09-16 20:22
VLAI?
Title
Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud
Summary
A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later
Severity ?
6 (Medium)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1715 build 20210630
(custom)
Affected: unspecified , < 5.0.0.1716 build 20210701 (custom) |
||||||||||||
|
||||||||||||||
Credits
Bingwei Peng of VARAS@IIE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:52.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1715 build 20210630",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1716 build 20210701",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.6.1755",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"datePublic": "2021-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T04:00:22.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
},
"title": "Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-09-10T12:05:00.000Z",
"ID": "CVE-2021-34343",
"STATE": "PUBLIC",
"TITLE": "Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1715 build 20210630"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1716 build 20210701"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.6.1755"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787 Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-33",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-34343",
"datePublished": "2021-09-10T04:00:23.084Z",
"dateReserved": "2021-06-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:22:18.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28816 (GCVE-0-2021-28816)
Vulnerability from cvelistv5 – Published: 2021-09-10 04:00 – Updated: 2024-09-17 01:56
VLAI?
Title
Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud
Summary
A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QTS 4.3.3.1693 build 20210624 and later QTS 4.3.6.1750 build 20210730 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later
Severity ?
7.6 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1715 build 20210630
(custom)
Affected: unspecified , < 5.0.0.1716 build 20210701 (custom) Affected: unspecified , < 4.3.3.1693 build 20210624 (custom) Affected: unspecified , < 4.3.6.1750 build 20210730 (custom) |
||||||||||||
|
||||||||||||||
Credits
Bingwei Peng of VARAS@IIE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1715 build 20210630",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1716 build 20210701",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.3.1693 build 20210624",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.6.1750 build 20210730",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.6.1755",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"datePublic": "2021-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QTS 4.3.3.1693 build 20210624 and later QTS 4.3.6.1750 build 20210730 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T04:00:21.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQTS 4.3.3.1693 build 20210624 and later\nQTS 4.3.6.1750 build 20210730 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
},
"title": "Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-09-10T10:48:00.000Z",
"ID": "CVE-2021-28816",
"STATE": "PUBLIC",
"TITLE": "Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1715 build 20210630"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1716 build 20210701"
},
{
"version_affected": "\u003c",
"version_value": "4.3.3.1693 build 20210624"
},
{
"version_affected": "\u003c",
"version_value": "4.3.6.1750 build 20210730"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.6.1755"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QTS 4.3.3.1693 build 20210624 and later QTS 4.3.6.1750 build 20210730 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787 Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-33",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQTS 4.3.3.1693 build 20210624 and later\nQTS 4.3.6.1750 build 20210730 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28816",
"datePublished": "2021-09-10T04:00:21.577Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:56:02.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19957 (GCVE-0-2018-19957)
Vulnerability from cvelistv5 – Published: 2021-09-10 04:00 – Updated: 2024-09-17 02:57
VLAI?
Title
Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud
Summary
A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1715 build 20210630
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1715 build 20210630",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.6.1755 build 20210809",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"datePublic": "2021-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T04:00:18.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-03"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.5.4.1715 build 20210630 and later\nQuTS hero h4.5.4.1771 build 20210825 and later\nQuTScloud c4.5.6.1755 build 20210809 and later"
}
],
"source": {
"advisory": "QSA-21-03",
"discovery": "EXTERNAL"
},
"title": "Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-09-10T01:44:00.000Z",
"ID": "CVE-2018-19957",
"STATE": "PUBLIC",
"TITLE": "Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1715 build 20210630"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.6.1755 build 20210809"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-03",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-03"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.5.4.1715 build 20210630 and later\nQuTS hero h4.5.4.1771 build 20210825 and later\nQuTScloud c4.5.6.1755 build 20210809 and later"
}
],
"source": {
"advisory": "QSA-21-03",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19957",
"datePublished": "2021-09-10T04:00:18.472Z",
"dateReserved": "2018-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:57:44.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28804 (GCVE-0-2021-28804)
Vulnerability from cvelistv5 – Published: 2021-07-01 02:00 – Updated: 2024-09-16 16:54
VLAI?
Title
Command Injection Vulnerabilities in QTS and QuTS hero
Summary
A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217.
Severity ?
No CVSS data available.
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.1.1540 build 20210107
(custom)
|
|||||||
|
|||||||||
Credits
Jan Hoff
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.1.1540 build 20210107",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.1.1582 build 20210217",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jan Hoff"
}
],
"datePublic": "2021-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T02:00:23.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
},
"title": "Command Injection Vulnerabilities in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-01T00:46:00.000Z",
"ID": "CVE-2021-28804",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerabilities in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.1.1540 build 20210107"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.1.1582 build 20210217"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jan Hoff"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28804",
"datePublished": "2021-07-01T02:00:23.564Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:54:06.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28802 (GCVE-0-2021-28802)
Vulnerability from cvelistv5 – Published: 2021-07-01 02:00 – Updated: 2024-09-16 22:15
VLAI?
Title
Command Injection Vulnerabilities in QTS and QuTS hero
Summary
A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217.
Severity ?
No CVSS data available.
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.1.1540 build 20210107
(custom)
|
|||||||
|
|||||||||
Credits
Jan Hoff
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.1.1540 build 20210107",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.1.1582 build 20210217",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jan Hoff"
}
],
"datePublic": "2021-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T02:00:20.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
},
"title": "Command Injection Vulnerabilities in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-01T00:46:00.000Z",
"ID": "CVE-2021-28802",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerabilities in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.1.1540 build 20210107"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.1.1582 build 20210217"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jan Hoff"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28802",
"datePublished": "2021-07-01T02:00:20.433Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:15:54.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36194 (GCVE-0-2020-36194)
Vulnerability from cvelistv5 – Published: 2021-07-01 02:00 – Updated: 2024-09-17 02:01
VLAI?
Title
XSS Vulnerability in QTS and QuTS heroCommand Injection Vulnerabilities in QTS and QuTS hero
Summary
An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.2.1566 Build 20210202
(custom)
Unaffected: 4.5.3 |
|||||||
|
|||||||||
Credits
Jakub Korepta
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.2.1566 Build 20210202",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.5.3"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.2.1638 build 20210414",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Korepta"
}
],
"datePublic": "2021-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T02:00:17.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.2.1566 Build 20210202 and later\nQuTS hero h4.5.2.1638 build 20210414 and later"
}
],
"source": {
"advisory": "QSA-21-32",
"discovery": "EXTERNAL"
},
"title": "XSS Vulnerability in QTS and QuTS heroCommand Injection Vulnerabilities in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-01T01:38:00.000Z",
"ID": "CVE-2020-36194",
"STATE": "PUBLIC",
"TITLE": "XSS Vulnerability in QTS and QuTS heroCommand Injection Vulnerabilities in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.2.1566 Build 20210202"
},
{
"version_affected": "!",
"version_value": "4.5.3"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.2.1638 build 20210414"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jakub Korepta"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.2.1566 Build 20210202 and later\nQuTS hero h4.5.2.1638 build 20210414 and later"
}
],
"source": {
"advisory": "QSA-21-32",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-36194",
"datePublished": "2021-07-01T02:00:17.242Z",
"dateReserved": "2021-01-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:01:31.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28800 (GCVE-0-2021-28800)
Vulnerability from cvelistv5 – Published: 2021-06-24 06:20 – Updated: 2024-09-16 23:01
VLAI?
Title
Command Injection Vulnerability in QTS
Summary
A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5.
Severity ?
8.1 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.3.6.1663 Build 20210504
(custom)
Affected: unspecified , < 4.3.3.1624 Build 20210416 (custom) Unaffected: 4.5.3 |
||||||||||||
|
||||||||||||||
Credits
CFF of Topsec Alpha Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.3.6.1663 Build 20210504",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.3.1624 Build 20210416",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.5.3"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "h4.5.3"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "c4.5.5"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "CFF of Topsec Alpha Team"
}
],
"datePublic": "2021-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T06:20:10.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.3.6.1663 Build 20210504 and later\nQTS 4.3.3.1624 Build 20210416 and later"
}
],
"source": {
"advisory": "QSA-21-28",
"discovery": "EXTERNAL"
},
"title": "Command Injection Vulnerability in QTS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-06-24T05:59:00.000Z",
"ID": "CVE-2021-28800",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerability in QTS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.6.1663 Build 20210504"
},
{
"version_affected": "\u003c",
"version_value": "4.3.3.1624 Build 20210416"
},
{
"version_affected": "!",
"version_value": "4.5.3"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "h4.5.3"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "c4.5.5"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "CFF of Topsec Alpha Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.3.6.1663 Build 20210504 and later\nQTS 4.3.3.1624 Build 20210416 and later"
}
],
"source": {
"advisory": "QSA-21-28",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28800",
"datePublished": "2021-06-24T06:20:11.049Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:01:07.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28806 (GCVE-0-2021-28806)
Vulnerability from cvelistv5 – Published: 2021-06-03 02:45 – Updated: 2024-09-16 22:55
VLAI?
Title
DOM-Based XSS Vulnerability in QTS and QuTS hero
Summary
A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.3.1652 Build 20210428
(custom)
Unaffected: 4.3.6 Unaffected: 4.3.3 |
||||||||||||
|
||||||||||||||
Credits
Marcin Zięba
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.3.1652 Build 20210428",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.3.6"
},
{
"status": "unaffected",
"version": "4.3.3"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.2.1638 Build 20210414",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.5.1656 Build 20210503",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marcin Zi\u0119ba"
}
],
"datePublic": "2021-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T02:45:13.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.3.1652 Build 20210428 and later\nQuTS hero h4.5.2.1638 Build 20210414 and later\nQuTScloud c4.5.5.1656 Build 20210503 and later"
}
],
"source": {
"advisory": "QSA-21-22",
"discovery": "EXTERNAL"
},
"title": "DOM-Based XSS Vulnerability in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-06-03T02:06:00.000Z",
"ID": "CVE-2021-28806",
"STATE": "PUBLIC",
"TITLE": "DOM-Based XSS Vulnerability in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.3.1652 Build 20210428"
},
{
"version_affected": "!",
"version_value": "4.3.6"
},
{
"version_affected": "!",
"version_value": "4.3.3"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.2.1638 Build 20210414"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.5.1656 Build 20210503"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Marcin Zi\u0119ba"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.3.1652 Build 20210428 and later\nQuTS hero h4.5.2.1638 Build 20210414 and later\nQuTScloud c4.5.5.1656 Build 20210503 and later"
}
],
"source": {
"advisory": "QSA-21-22",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28806",
"datePublished": "2021-06-03T02:45:13.325Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:55:32.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27596 (GCVE-0-2022-27596)
Vulnerability from nvd – Published: 2023-01-30 01:13 – Updated: 2025-03-27 18:24
VLAI?
Title
Vulnerability in QTS
Summary
A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of QuTS hero, QTS:
QuTS hero h5.0.1.2248 build 20221215 and later
QTS 5.0.1.2234 build 20221201 and later
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTS hero |
Affected:
h5.0.1 , < h5.0.1.2248 build 20221215
(custom)
|
|||||||
|
|||||||||
Credits
huasheng_mangguo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:32:59.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-23-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T18:23:29.874086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T18:24:56.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.1.2248 build 20221215",
"status": "affected",
"version": "h5.0.1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.1.2234 build 20221201",
"status": "affected",
"version": "5.0.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "huasheng_mangguo"
}
],
"datePublic": "2023-01-30T09:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\u003cbr\u003eWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\u003cbr\u003eQuTS hero h5.0.1.2248 build 20221215 and later\u003cbr\u003eQTS 5.0.1.2234 build 20221201 and later\u003cbr\u003e"
}
],
"value": "A vulnerability has been reported to affect QNAP device running QuTS hero, QTS. If exploited, this vulnerability allows remote attackers to inject malicious code.\nWe have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T01:04:37.338Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-23-01"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:\u003cbr\u003eQuTS hero h5.0.1.2248 build 20221215 and later\u003cbr\u003eQTS 5.0.1.2234 build 20221201 and later\u003cbr\u003e"
}
],
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS:\nQuTS hero h5.0.1.2248 build 20221215 and later\nQTS 5.0.1.2234 build 20221201 and later\n"
}
],
"source": {
"advisory": "QSA-23-01",
"discovery": "EXTERNAL"
},
"title": "Vulnerability in QTS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2022-27596",
"datePublished": "2023-01-30T01:13:47.317Z",
"dateReserved": "2022-03-21T22:02:33.326Z",
"dateUpdated": "2025-03-27T18:24:56.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44054 (GCVE-0-2021-44054)
Vulnerability from nvd – Published: 2022-05-05 16:50 – Updated: 2024-09-16 16:57
VLAI?
Title
Open redirect
Summary
An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1949
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1949 build 20220215",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.1951 build 20220218",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:24.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Open redirect",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44054",
"STATE": "PUBLIC",
"TITLE": "Open redirect"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1949 build 20220215"
},
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1951 build 20220218"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44054",
"datePublished": "2022-05-05T16:50:24.966Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:57:37.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44053 (GCVE-0-2021-44053)
Vulnerability from nvd – Published: 2022-05-05 16:50 – Updated: 2024-09-16 19:31
VLAI?
Title
Reflected XSS
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later
Severity ?
5.7 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1991 build 20220329
(custom)
Affected: unspecified , < 5.0.0.1986 build 20220324 (custom) |
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.1971 build 20220310",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:23.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud:\nQTS 4.5.4.1991 build 20220329 and later\nQTS 5.0.0.1986 build 20220324 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTScloud c5.0.1.1949 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44053",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1971 build 20220310"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud:\nQTS 4.5.4.1991 build 20220329 and later\nQTS 5.0.0.1986 build 20220324 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTScloud c5.0.1.1949 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44053",
"datePublished": "2022-05-05T16:50:23.491Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:31:09.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44052 (GCVE-0-2021-44052)
Vulnerability from nvd – Published: 2022-05-05 16:50 – Updated: 2024-09-16 22:56
VLAI?
Title
Arbitrary file read
Summary
An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Severity ?
6.5 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1998
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1998",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1971 build 20220310",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.3.4.1976 build 20220303",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.3.1945 build 20220303",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.2.6 build 20220304",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.6.1965 build 20220302",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An improper link resolution before file access (\u0027Link Following\u0027) vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:21.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS:\nQuTScloud c5.0.1.1998 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 4.3.4.1976 build 20220303 and later\nQTS 4.3.3.1945 build 20220303 and later\nQTS 4.2.6 build 20220304 and later\nQTS 4.3.6.1965 build 20220302 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Arbitrary file read",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44052",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file read"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1998"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1971 build 20220310"
},
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1986 build 20220324"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.4.1976 build 20220303"
},
{
"version_affected": "\u003c",
"version_value": "4.3.3.1945 build 20220303"
},
{
"version_affected": "\u003c",
"version_value": "4.2.6 build 20220304"
},
{
"version_affected": "\u003c",
"version_value": "4.3.6.1965 build 20220302"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper link resolution before file access (\u0027Link Following\u0027) vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 4.3.4.1976 build 20220303 and later QTS 4.3.3.1945 build 20220303 and later QTS 4.2.6 build 20220304 and later QTS 4.3.6.1965 build 20220302 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-59"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS:\nQuTScloud c5.0.1.1998 and later\nQuTS hero h4.5.4.1971 build 20220310 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 4.3.4.1976 build 20220303 and later\nQTS 4.3.3.1945 build 20220303 and later\nQTS 4.2.6 build 20220304 and later\nQTS 4.3.6.1965 build 20220302 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44052",
"datePublished": "2022-05-05T16:50:22.030Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:12.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44051 (GCVE-0-2021-44051)
Vulnerability from nvd – Published: 2022-05-05 16:50 – Updated: 2024-09-16 17:43
VLAI?
Title
Command injection
Summary
A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1949
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Enio Pena Navarro and Michael Messner from Siemens Energy AG
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:20.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 5.0.0.1986 build 20220324 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
},
"title": "Command injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-44051",
"STATE": "PUBLIC",
"TITLE": "Command injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1986 build 20220324"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Enio Pena Navarro and Michael Messner from Siemens Energy AG"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-16",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-16"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1986 build 20220324 and later\nQTS 5.0.0.1986 build 20220324 and later"
}
],
"source": {
"advisory": "QSA-22-16",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-44051",
"datePublished": "2022-05-05T16:50:20.575Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:43:45.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38693 (GCVE-0-2021-38693)
Vulnerability from nvd – Published: 2022-05-05 16:50 – Updated: 2024-09-16 18:08
VLAI?
Title
Path Traversal in thttpd
Summary
A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later
Severity ?
5.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTScloud |
Affected:
unspecified , < c5.0.1.1949
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Giles, Guido and Simas, Iury from Thomson Reuters
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:19.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c5.0.1.1949",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h5.0.0.1949 build 20220215",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "h4.5.4.1951 build 20220218",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "5.0.0.1986 build 20220324",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.5.4.1991 build 20220329",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Giles, Guido and Simas, Iury from Thomson Reuters"
}
],
"datePublic": "2022-05-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T16:50:18.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-22-13"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-13",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in thttpd",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-05-06T00:00:00.000Z",
"ID": "CVE-2021-38693",
"STATE": "PUBLIC",
"TITLE": "Path Traversal in thttpd"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c5.0.1.1949"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h5.0.0.1949 build 20220215"
},
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1951 build 20220218"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.0.1986 build 20220324"
},
{
"version_affected": "\u003c",
"version_value": "4.5.4.1991 build 20220329"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Giles, Guido and Simas, Iury from Thomson Reuters"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-22-13",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-22-13"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance:\nQuTScloud c5.0.1.1949 and later\nQuTS hero h5.0.0.1949 build 20220215 and later\nQuTS hero h4.5.4.1951 build 20220218 and later\nQTS 5.0.0.1986 build 20220324 and later\nQTS 4.5.4.1991 build 20220329 and later"
}
],
"source": {
"advisory": "QSA-22-13",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-38693",
"datePublished": "2022-05-05T16:50:19.054Z",
"dateReserved": "2021-08-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:08:15.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-38674 (GCVE-0-2021-38674)
Vulnerability from nvd – Published: 2022-01-07 01:15 – Updated: 2024-09-16 20:07
VLAI?
Title
Reflected XSS Vulnerability in TFTP
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later
Severity ?
4.2 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QuTS hero |
Affected:
unspecified , < h4.5.4.1771 build 20210825
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Tony Martin, a security researcher
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:51:19.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-63"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1787 build 20210910",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.7.1864",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Martin, a security researcher"
}
],
"datePublic": "2022-01-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-07T01:15:12.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-63"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS, QuTScloud:\nQuTS hero h4.5.4.1771 build 20210825 and later\nQTS 4.5.4.1787 build 20210910 and later\nQuTScloud c4.5.7.1864 and later"
}
],
"source": {
"advisory": "QSA-21-63",
"discovery": "EXTERNAL"
},
"title": "Reflected XSS Vulnerability in TFTP",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2022-01-06T23:07:00.000Z",
"ID": "CVE-2021-38674",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS Vulnerability in TFTP"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
},
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1787 build 20210910"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.7.1864"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tony Martin, a security researcher"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-63",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-63"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QuTS hero, QTS, QuTScloud:\nQuTS hero h4.5.4.1771 build 20210825 and later\nQTS 4.5.4.1787 build 20210910 and later\nQuTScloud c4.5.7.1864 and later"
}
],
"source": {
"advisory": "QSA-21-63",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-38674",
"datePublished": "2022-01-07T01:15:12.605Z",
"dateReserved": "2021-08-13T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:07:25.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34343 (GCVE-0-2021-34343)
Vulnerability from nvd – Published: 2021-09-10 04:00 – Updated: 2024-09-16 20:22
VLAI?
Title
Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud
Summary
A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later
Severity ?
6 (Medium)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1715 build 20210630
(custom)
Affected: unspecified , < 5.0.0.1716 build 20210701 (custom) |
||||||||||||
|
||||||||||||||
Credits
Bingwei Peng of VARAS@IIE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:52.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1715 build 20210630",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1716 build 20210701",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.6.1755",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"datePublic": "2021-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T04:00:22.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
},
"title": "Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-09-10T12:05:00.000Z",
"ID": "CVE-2021-34343",
"STATE": "PUBLIC",
"TITLE": "Buffer Overflow Vulnerability in QTS, QuTS hero, and QuTScloud"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1715 build 20210630"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1716 build 20210701"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.6.1755"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787 Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-33",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-34343",
"datePublished": "2021-09-10T04:00:23.084Z",
"dateReserved": "2021-06-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T20:22:18.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28816 (GCVE-0-2021-28816)
Vulnerability from nvd – Published: 2021-09-10 04:00 – Updated: 2024-09-17 01:56
VLAI?
Title
Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud
Summary
A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QTS 4.3.3.1693 build 20210624 and later QTS 4.3.6.1750 build 20210730 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later
Severity ?
7.6 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1715 build 20210630
(custom)
Affected: unspecified , < 5.0.0.1716 build 20210701 (custom) Affected: unspecified , < 4.3.3.1693 build 20210624 (custom) Affected: unspecified , < 4.3.6.1750 build 20210730 (custom) |
||||||||||||
|
||||||||||||||
Credits
Bingwei Peng of VARAS@IIE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.992Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1715 build 20210630",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "5.0.0.1716 build 20210701",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.3.1693 build 20210624",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.6.1750 build 20210730",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.6.1755",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"datePublic": "2021-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QTS 4.3.3.1693 build 20210624 and later QTS 4.3.6.1750 build 20210730 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T04:00:21.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
],
"solutions": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQTS 4.3.3.1693 build 20210624 and later\nQTS 4.3.6.1750 build 20210730 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
},
"title": "Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-09-10T10:48:00.000Z",
"ID": "CVE-2021-28816",
"STATE": "PUBLIC",
"TITLE": "Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1715 build 20210630"
},
{
"version_affected": "\u003c",
"version_value": "5.0.0.1716 build 20210701"
},
{
"version_affected": "\u003c",
"version_value": "4.3.3.1693 build 20210624"
},
{
"version_affected": "\u003c",
"version_value": "4.3.6.1750 build 20210730"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.6.1755"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Bingwei Peng of VARAS@IIE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stack buffer overflow vulnerability has been reported to affect QNAP device running QTS, QuTScloud, QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero: QTS 4.5.4.1715 build 20210630 and later QTS 5.0.0.1716 build 20210701 and later QTS 4.3.3.1693 build 20210624 and later QTS 4.3.6.1750 build 20210730 and later QuTScloud c4.5.6.1755 and later QuTS hero h4.5.4.1771 build 20210825 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787 Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-33",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-33"
}
]
},
"solution": [
{
"lang": "en",
"value": "We have already fixed this vulnerability in the following versions of QTS, QuTScloud, QuTS hero:\nQTS 4.5.4.1715 build 20210630 and later\nQTS 5.0.0.1716 build 20210701 and later\nQTS 4.3.3.1693 build 20210624 and later\nQTS 4.3.6.1750 build 20210730 and later\nQuTScloud c4.5.6.1755 and later\nQuTS hero h4.5.4.1771 build 20210825 and later"
}
],
"source": {
"advisory": "QSA-21-33",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28816",
"datePublished": "2021-09-10T04:00:21.577Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:56:02.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19957 (GCVE-0-2018-19957)
Vulnerability from nvd – Published: 2021-09-10 04:00 – Updated: 2024-09-17 02:57
VLAI?
Title
Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud
Summary
A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.4.1715 build 20210630
(custom)
|
||||||||||||
|
||||||||||||||
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.4.1715 build 20210630",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.4.1771 build 20210825",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.6.1755 build 20210809",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"datePublic": "2021-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-10T04:00:18.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-21-03"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.5.4.1715 build 20210630 and later\nQuTS hero h4.5.4.1771 build 20210825 and later\nQuTScloud c4.5.6.1755 build 20210809 and later"
}
],
"source": {
"advisory": "QSA-21-03",
"discovery": "EXTERNAL"
},
"title": "Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-09-10T01:44:00.000Z",
"ID": "CVE-2018-19957",
"STATE": "PUBLIC",
"TITLE": "Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.4.1715 build 20210630"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.4.1771 build 20210825"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.6.1755 build 20210809"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/en/security-advisory/qsa-21-03",
"refsource": "MISC",
"url": "https://www.qnap.com/en/security-advisory/qsa-21-03"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.5.4.1715 build 20210630 and later\nQuTS hero h4.5.4.1771 build 20210825 and later\nQuTScloud c4.5.6.1755 build 20210809 and later"
}
],
"source": {
"advisory": "QSA-21-03",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19957",
"datePublished": "2021-09-10T04:00:18.472Z",
"dateReserved": "2018-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:57:44.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28804 (GCVE-0-2021-28804)
Vulnerability from nvd – Published: 2021-07-01 02:00 – Updated: 2024-09-16 16:54
VLAI?
Title
Command Injection Vulnerabilities in QTS and QuTS hero
Summary
A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217.
Severity ?
No CVSS data available.
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.1.1540 build 20210107
(custom)
|
|||||||
|
|||||||||
Credits
Jan Hoff
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.1.1540 build 20210107",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.1.1582 build 20210217",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jan Hoff"
}
],
"datePublic": "2021-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T02:00:23.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
},
"title": "Command Injection Vulnerabilities in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-01T00:46:00.000Z",
"ID": "CVE-2021-28804",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerabilities in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.1.1540 build 20210107"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.1.1582 build 20210217"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jan Hoff"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28804",
"datePublished": "2021-07-01T02:00:23.564Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:54:06.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28802 (GCVE-0-2021-28802)
Vulnerability from nvd – Published: 2021-07-01 02:00 – Updated: 2024-09-16 22:15
VLAI?
Title
Command Injection Vulnerabilities in QTS and QuTS hero
Summary
A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217.
Severity ?
No CVSS data available.
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.1.1540 build 20210107
(custom)
|
|||||||
|
|||||||||
Credits
Jan Hoff
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.1.1540 build 20210107",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.1.1582 build 20210217",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jan Hoff"
}
],
"datePublic": "2021-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T02:00:20.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
},
"title": "Command Injection Vulnerabilities in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-01T00:46:00.000Z",
"ID": "CVE-2021-28802",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerabilities in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.1.1540 build 20210107"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.1.1582 build 20210217"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jan Hoff"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107. QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-29"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.1.1540 build 20210107 and later\nQuTS hero h4.5.1.1582 build 20210217 and later"
}
],
"source": {
"advisory": "QSA-21-29",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28802",
"datePublished": "2021-07-01T02:00:20.433Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:15:54.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36194 (GCVE-0-2020-36194)
Vulnerability from nvd – Published: 2021-07-01 02:00 – Updated: 2024-09-17 02:01
VLAI?
Title
XSS Vulnerability in QTS and QuTS heroCommand Injection Vulnerabilities in QTS and QuTS hero
Summary
An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.2.1566 Build 20210202
(custom)
Unaffected: 4.5.3 |
|||||||
|
|||||||||
Credits
Jakub Korepta
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.456Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.2.1566 Build 20210202",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.5.3"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.2.1638 build 20210414",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Korepta"
}
],
"datePublic": "2021-07-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-01T02:00:17.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.2.1566 Build 20210202 and later\nQuTS hero h4.5.2.1638 build 20210414 and later"
}
],
"source": {
"advisory": "QSA-21-32",
"discovery": "EXTERNAL"
},
"title": "XSS Vulnerability in QTS and QuTS heroCommand Injection Vulnerabilities in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-07-01T01:38:00.000Z",
"ID": "CVE-2020-36194",
"STATE": "PUBLIC",
"TITLE": "XSS Vulnerability in QTS and QuTS heroCommand Injection Vulnerabilities in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.2.1566 Build 20210202"
},
{
"version_affected": "!",
"version_value": "4.5.3"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.2.1638 build 20210414"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jakub Korepta"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-32"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.2.1566 Build 20210202 and later\nQuTS hero h4.5.2.1638 build 20210414 and later"
}
],
"source": {
"advisory": "QSA-21-32",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-36194",
"datePublished": "2021-07-01T02:00:17.242Z",
"dateReserved": "2021-01-19T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:01:31.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28800 (GCVE-0-2021-28800)
Vulnerability from nvd – Published: 2021-06-24 06:20 – Updated: 2024-09-16 23:01
VLAI?
Title
Command Injection Vulnerability in QTS
Summary
A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5.
Severity ?
8.1 (High)
CWE
- CWE-78 - OS Command Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.3.6.1663 Build 20210504
(custom)
Affected: unspecified , < 4.3.3.1624 Build 20210416 (custom) Unaffected: 4.5.3 |
||||||||||||
|
||||||||||||||
Credits
CFF of Topsec Alpha Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.3.6.1663 Build 20210504",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "4.3.3.1624 Build 20210416",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.5.3"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "h4.5.3"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"status": "unaffected",
"version": "c4.5.5"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "CFF of Topsec Alpha Team"
}
],
"datePublic": "2021-06-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T06:20:10.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.3.6.1663 Build 20210504 and later\nQTS 4.3.3.1624 Build 20210416 and later"
}
],
"source": {
"advisory": "QSA-21-28",
"discovery": "EXTERNAL"
},
"title": "Command Injection Vulnerability in QTS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-06-24T05:59:00.000Z",
"ID": "CVE-2021-28800",
"STATE": "PUBLIC",
"TITLE": "Command Injection Vulnerability in QTS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.3.6.1663 Build 20210504"
},
{
"version_affected": "\u003c",
"version_value": "4.3.3.1624 Build 20210416"
},
{
"version_affected": "!",
"version_value": "4.5.3"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "h4.5.3"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "!",
"version_value": "c4.5.5"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "CFF of Topsec Alpha Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A command injection vulnerability has been reported to affect QNAP NAS running legacy versions of QTS. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. This issue affects: QNAP Systems Inc. QTS versions prior to 4.3.6.1663 Build 20210504; versions prior to 4.3.3.1624 Build 20210416. This issue does not affect: QNAP Systems Inc. QTS 4.5.3. QNAP Systems Inc. QuTS hero h4.5.3. QNAP Systems Inc. QuTScloud c4.5.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-28"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.3.6.1663 Build 20210504 and later\nQTS 4.3.3.1624 Build 20210416 and later"
}
],
"source": {
"advisory": "QSA-21-28",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28800",
"datePublished": "2021-06-24T06:20:11.049Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:01:07.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28806 (GCVE-0-2021-28806)
Vulnerability from nvd – Published: 2021-06-03 02:45 – Updated: 2024-09-16 22:55
VLAI?
Title
DOM-Based XSS Vulnerability in QTS and QuTS hero
Summary
A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.5.3.1652 Build 20210428
(custom)
Unaffected: 4.3.6 Unaffected: 4.3.3 |
||||||||||||
|
||||||||||||||
Credits
Marcin Zięba
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.5.3.1652 Build 20210428",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.3.6"
},
{
"status": "unaffected",
"version": "4.3.3"
}
]
},
{
"product": "QuTS hero",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "h4.5.2.1638 Build 20210414",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "QuTScloud",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "c4.5.5.1656 Build 20210503",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Marcin Zi\u0119ba"
}
],
"datePublic": "2021-06-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-03T02:45:13.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.3.1652 Build 20210428 and later\nQuTS hero h4.5.2.1638 Build 20210414 and later\nQuTScloud c4.5.5.1656 Build 20210503 and later"
}
],
"source": {
"advisory": "QSA-21-22",
"discovery": "EXTERNAL"
},
"title": "DOM-Based XSS Vulnerability in QTS and QuTS hero",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-06-03T02:06:00.000Z",
"ID": "CVE-2021-28806",
"STATE": "PUBLIC",
"TITLE": "DOM-Based XSS Vulnerability in QTS and QuTS hero"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.5.3.1652 Build 20210428"
},
{
"version_affected": "!",
"version_value": "4.3.6"
},
{
"version_affected": "!",
"version_value": "4.3.3"
}
]
}
},
{
"product_name": "QuTS hero",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "h4.5.2.1638 Build 20210414"
}
]
}
},
{
"product_name": "QuTScloud",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "c4.5.5.1656 Build 20210503"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Marcin Zi\u0119ba"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-22"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\n\nQTS 4.5.3.1652 Build 20210428 and later\nQuTS hero h4.5.2.1638 Build 20210414 and later\nQuTScloud c4.5.5.1656 Build 20210503 and later"
}
],
"source": {
"advisory": "QSA-21-22",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28806",
"datePublished": "2021-06-03T02:45:13.325Z",
"dateReserved": "2021-03-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:55:32.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}