What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Infinidat
Articles_top

Qnap Security Advisory Bulletin ID: QSA-21-57, QSA-21-59 and QSA-21-60

Concerning vulnerability in QTS and QuTS hero NAS OS, Stack Overflow vulnerability in QVR Elite, QVR Pro, and QVR Guard, and XSS and Open Redirect vulnerabilities in QcalAgent

This is a Press Release edited by StorageNewsletter.com on January 18, 2022 at 2:01 pm

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.Use the following information and solutions to correct the security issues and vulnerabilities.

Advisory includes following:

Vulnerability in QTS and QuTS hero
Release date: January 13, 2022
Security ID: QSA-21-57
Severity: High
Affected products: Certain Qnap NAS

Summary
A vulnerability has been reported to affect QTS 4.5.3 and later versions, and QuTS hero h4.5.3 and later versions. If exploited, the vulnerability allows attackers to run arbitrary code in the system.

The company have already fixed the vulnerability in following versions of QTS and QuTS hero:

  • QTS 5.0.0.1891 build 20211221 and later

  • QTS 4.5.4.1892 build 20211223 and later

  • QuTS hero h5.0.0.1892 build 20211222 and later

Informations

Stack Overflow vulnerability in QVR Elite, QVR Pro, and QVR Guard
Release date: January 13, 2022
Security ID: QSA-21-59
Severity: High
CVE identifier: CVE-2021-38682 | CVE-2021-38689 | CVE-2021-38690 | CVE-2021-38691 | CVE-2021-38692
Affected products: Qnap NAS running QVR Elite, QVR Pro, and QVR Guard

Summary
A stack buffer overflow vulnerability has been reported to affect Qnap NAS running QVR Elite, QVR Pro, and QVR Guard. If exploited, this vulnerability allows attackers to execute arbitrary code.

The company have already fixed this vulnerability in following versions:

  • QVR Elite 2.1.4.0 (2021/12/06) and later

  • QVR Pro 2.1.3.0 (2021/12/06) and later

  • QVR Guard 2.1.3.0 (2021/12/06) and later

Informations

XSS and Open Redirect vulnerabilities in QcalAgent
Release date: January 13, 2022
Security ID: QSA-21-60
Severity: Medium
CVE identifier: CVE-2021-38677 | CVE-2021-38678
Affected products: QNAP NAS running QcalAgent

Summary
A cross-site scripting (XSS) vulnerability and an open redirect vulnerability have been reported to affect Qnap NAS running QcalAgent. If exploited, the vulnerabilities allow attackers to inject malicious code and redirect users to an untrusted site that contains malware.

The company have already fixed these vulnerabilities in following versions of QcalAgent:

  • QcalAgent 1.1.7 and later

Information

Articles_bottom
AIC
ATTO
OPEN-E