Qnap Security Advisory Bulletin ID: QSA-21-46, QSA-21-54 and QSA-21-55
Concerning stack buffer overflow vulnerability in Surveillance Station, reflected XSS vulnerability in Kazoo Server, and improper authentication vulnerability in Qfile
This is a Press Release edited by StorageNewsletter.com on December 13, 2021 at 2:01 pmQnap systems, Inc. has published security enhancement against security vulnerabilities that could affect specific versions of Qnap products.
Use following information and solutions to correct the security issues and vulnerabilities.
Advisory includes following:
- Stack Buffer Overflow Vulnerability in Surveillance Station (ID: QSA-21-46)
- Reflected XSS Vulnerability in Kazoo Server (ID: QSA-21-54)
- Improper Authentication Vulnerability in Qfile (ID:QSA-21-55)
Stack buffer overflow vulnerability in Surveillance Station
Release date: December 10, 2021
Security ID: QSA-21-46
Severity: High
CVE identifier: CVE-2021-38687
Affected products: Qnap NAS running Surveillance Station
Summary
A stack buffer overflow vulnerability has been reported to affect Qnap NAS running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code.
The company have already fixed vulnerability in following versions of Surveillance Station:
-
QTS 5.0.0 (64-bit): Surveillance Station 5.2.0.4.2 (2021/10/26) and later
-
QTS 5.0.0 (32-bit): Surveillance Station 5.2.0.3.2 (2021/10/26) and later
-
QTS 4.3.6 (64-bit): Surveillance Station 5.1.5.4.6 (2021/10/26) and later
-
QTS 4.3.6 (32-bit): Surveillance Station 5.1.5.3.6 (2021/10/26) and later
-
QTS 4.3.3: Surveillance Station 5.1.5.3.6 (2021/10/26) and later
Reflected XSS vulnerability in Kazoo Server
Release date: December 10, 2021
Security ID: QSA-21-54
Severity: Medium
CVE identifier: CVE-2021-38680
Affected products: Qnap NAS running Kazoo Server
Summary
A reflected cross-site scripting (XSS) vulnerability has been reported to affect Qnap NAS running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code.
The company have already fixed vulnerability in following versions of Kazoo Server:
-
Kazoo Server 4.11.20 and later
Improper authentication vulnerability in Qfile
Release date: December 10, 2021
Security ID: QSA-21-55
Severity: Medium
CVE identifier: CVE-2021-38688
Affected products: Qfile for Android
Summary
An improper authentication vulnerability has been reported to affect Android devices running Qfile. If exploited, this vulnerability allows attackers to compromise the app and access private information.
The company have already fixed vulnerability in following versions of Qfile:
-
Qfile 3.0.0.1105 and later for Android
Questions regarding this issue: contact support.
Subscribe to our free daily newsletter
