Qnap Security Advisory Bulletin ID: QSA-21-51 and QSA-21-52
Concerning command injection vulnerability in QVR, and improper authentication vulnerability in QVR
This is a Press Release edited by StorageNewsletter.com on December 1, 2021 at 2:01 pmQnap Systems, Inc. has published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
Command injection vulnerability in QVR
Release date: November 26, 2021
Security ID: QSA-21-51
Severity: Critical
CVE identifier: CVE-2021-38685
Affected products: Qnap VS Series NVR
Summary
A command injection vulnerability has been reported to affect Qnap VS Series NVR running QVR. If exploited, this vulnerability allows remote attackers to run arbitrary commands.
The company have already fixed the vulnerability in the following versions of QVR:
-
QVR 5.1.6 build 20211109 and later
Improper authentication vulnerability in QVR
Release date: November 26, 2021
Security ID: QSA-21-52
Severity:High
CVE identifier: CVE-2021-38686
Affected products: QNAP VS Series NVR
Summary
An improper authentication vulnerability has been reported to affect Qnap VS Series NVR running QVR. If exploited, this vulnerability allows attackers to compromise the security of the system.
The company have already fixed the vulnerability in the following versions of QVR:
- QVR 5.1.6 build 20211109 and later
Subscribe to our free daily newsletter
