What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Infinidat
Articles_top

Qnap Security Advisory Bulletin ID: QSA-21-09, QSA-21-29 ~ QSA-21-32

Concerning DNSpooq vulnerabilities, multiple command injection vulnerabilities in QTS and QuTS hero, stored XSS vulnerability in QuLog Center, stored XSS vulnerability in Q'center, and XSS vulnerability in QTS and QuTS hero

This is a Press Release edited by StorageNewsletter.com on July 7, 2021 at 2:31 pm

QNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

DNSpooq vulnerabilities in QTS
Security ID: QSA-21-09
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2020-25684 | CVE-2020-25685 | CVE-2020-25686
Affected products: Certain QNAP NAS

Summary
DNSpooq vulnerabilities—including DNS cache poisoning and buffer overflow vulnerabilities—have been reported to affect certain versions of QTS. If exploited, these vulnerabilities allow attackers to perform remote code execution.

The company has already fixed these vulnerabilities in the following versions:

  • QTS 4.5.3.1652 build 20210428 and later

  • QuTS hero h4.5.3.1670 build 20210515 and later

  • QuTScloud c4.5.5.1656 build 20210503 and later

Information

Multiple command injection vulnerabilities in QTS and QuTS hero
Security ID: QSA-21-29
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2021-28802 | CVE-2021-28804
Affected products: Certain QNAP NAS

Summary
Multiple command injection vulnerabilities have been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application.

The company have already fixed this vulnerability in the following versions:

  • QTS 4.5.1.1540 build 20210107 and later

  • QuTS hero h4.5.1.1582 build 20210217 and later

Information

Stored XSS vulnerability in QuLog Center
Security ID: QSA-21-30
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2020-36196
Affected products: QNAP NAS running QuLog Center

Summary
A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code.

The company have already fixed this vulnerability in the following versions:

  • QuLog Center 1.2.0 and later

Information

Stored XSS vulnerability in Q’center
Security ID: QSA-21-31
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2021-28803
Affected products: QNAP NAS running Q’center

Summary
A stored XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows attackers to inject malicious code.

The company have already fixed this vulnerability in the following versions:

  • Q’center 1.11.1004 and later

Information

XSS vulnerability in QTS and QuTS hero
Security ID: QSA-21-32
Release date: July 1, 2021
Severity: Medium
CVE identifier: CVE-2020-36194
Affected products: Certain QNAP NAS

Summary
An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code.

The company have already fixed this vulnerability in the following versions:

  • QTS 4.5.2.1566 Build 20210202 and later

  • QuTS hero h4.5.2.1638 build 20210414 and later

QNAP NAS running QTS 4.5.3 and later are not affected.

Information

Questions regarding this issue: contact

Read also :
Qnap Security Advisory Bulletin ID: QSA-21-28
Concerning command injection vulnerability in QTS NAS OS
June 25, 2021 | Press Release
Qnap Security Advisory Bulletin ID: QSA-21-26 and QSA-21-27
Insecure storage of sensitive information in myQNAPcloud Link and SMB Out-of-Bounds read vulnerability in QTS and QuTS hero NAS OS
June 25, 2021 | Press Release
Qnap Security Advisory Bulletin ID: QSA-21-23, QSA-21-24 and QSA-21-25
Concerning out-of-bounds read vulnerability in QSS, inclusion of sensitive information in QSS, and improper access control vulnerability in Helpdesk
June 18, 2021 | Press Release
Qnap Security Advisory Bulletin ID: QSA-21-20, QSA-21-21 and QSA-21-22
Concerning post-authentication reflected XSS vulnerability in Q'center, command injection vulnerability in video station, and DOM-based XSS vulnerability in QTS and QuTS hero
June 7, 2021 | Press Release
Qnap Security Advisory Bulletin ID: QSA-21-12 and QSA-21-14
Concerning NAS running HBS 3 App and Qlocker ransomware, and relative path traversal vulnerability in QTS and QuTS hero NAS OS
May 24, 2021 | Press Release
Qnap Security Advisory | Bulletin ID: QSA-21-15
Concerning AgeLocker ransomware
May 5, 2021 | Press Release
Qnap Security Advisory | Bulletin ID: QSA-21-13
Concerning hard-coded credentials vulnerability in HBS 3 Hybrid Backup Sync
April 30, 2021 | Press Release
Qnap Security Advisory Bulletin ID: QSA-21-04, QSA-21-05, QSA-21-10, QSA-21-11
Concerning cross-site scripting vulnerability in File Station, multiple vulnerabilities in Twonky Server, command injection vulnerability in QTS and QuTS hero, and SQL injection vulnerability in Multimedia Console and Media Streaming add-on
April 22, 2021 | Press Release
Articles_bottom
AIC
ATTO
OPEN-E