Qnap Security Advisory Bulletin ID: QSA-21-04, QSA-21-05, QSA-21-10, QSA-21-11

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Advisory includes following:

Cross-site Scripting Vulnerability in File Station (ID: QSA-21-04)
Multiple Vulnerabilities in Twonky Server (ID: QSA-21-10)
Command Injection Vulnerability in QTS and QuTS hero (ID: QSA-21-05)
SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On (ID: QSA-21-11)

Cross-site scripting vulnerability in File Station:
Security ID: QSA-21-04
Release date: April 16, 2021
Severity: High
CVE identifier: CVE-2018-19942
Affected products: All Qnap NAS

Summary
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions:

QTS 4.5.2.1566 build 20210202 (and later)
QTS 4.5.1.1456 build 20201015 (and later)
QTS 4.3.6.1446 build 20200929 (and later)
QTS 4.3.4.1463 build 20201006 (and later)
QTS 4.3.3.1432 build 20201006 (and later)
QTS 4.2.6 build 20210327 (and later)
QuTS hero h4.5.1.1472 build 20201031 (and later)
QuTScloud c4.5.4.1601 build 20210309 (and later)
QuTScloud c4.5.3.1454 build 20201013 (and later)

Read also

Multiple vulnerabilities in Twonky Server
Security ID: QSA-21-10
Release date: April 16, 2021
Severity: High
CVE identifier: N/A
Affected products: Qnap NAS running Twonky Server

Summary
Two vulnerabilities have been reported to affect earlier versions of Twonky Server.

An improper access restriction vulnerability allows remote attackers to gain access to sensitive information, such as the administrator username and password for accessing Twonky Server settings.
A weak password obfuscation vulnerability allows remote attackers to decrypt passwords easily.

Both vulnerabilities combined allow remote attackers to gain access to all content accessible to the server.

The vendor is releasing version 8.5.2 to address the vulnerabilities. We will update this advisory when the package is available.

Read also

Command injection vulnerability in QTS and QuTS hero
Security ID: QSA-21-05
Release date: April 16, 2021
Severity: Critical
CVE identifier: CVE-2020-2509
Affected products: All QnapNAS

Summary
A command injection vulnerability has been reported to affect QTS and QuTS hero.

If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.

We have already fixed this vulnerability in the following versions:

QTS 4.5.2.1566 Build 20210202 and later
QTS 4.5.1.1495 Build 20201123 and later
QTS 4.3.6.1620 Build 20210322 and later
QTS 4.3.4.1632 Build 20210324 and later
QTS 4.3.3.1624 Build 20210416 and later
QTS 4.2.6 Build 20210327 and later
QuTS hero h4.5.1.1491 build 20201119 and later

Read also

SQL Injection Vulnerability in Multimedia Console and Media Streaming Add-On
Security ID: QSA-21-11
Release date: April 16, 2021
Severity: Critical
CVE identifier: CVE-2020-36195
Affected products: Qnap NAS running Multimedia Console or the Media Streaming add-on

Summary
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on.

If exploited, the vulnerability allows remote attackers to obtain application information.

We have already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on.