Severity
High
Analysis Summary
CVE-2021-28803
QNAP Q’center is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2020-36194
QNAP QTS and QuTS hero is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2020-36196
QNAP QuLog Center is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Impact
- Gain Access
- Cross-Site Scripting
- Credential Theft
- Command Execution
Affected Vendors
- QNAP QTS
- QNAP Q’center
- QNAP QuLog Center
Affected Products
- QNAP Q’center 1.10
- QNAP Q’center 1.09
- QNAP Q’center 1.08
- QNAP QTS 4.0.3
- QNAP QTS 4.1.4
- QNAP QTS 4.2.2
- QNAP QTS 4.3.4
- QNAP QTS 4.3.5
- QNAP QuLog Center 1.0.0
- QNAP QuLog Center 1.1.0
Remediation
Refer to QNAP QSA-21-31 for the patch, upgrade, or suggested workaround information.
https://www.qnap.com/zh-tw/security-advisory/qsa-21-31
Refer to QNAP QSA-21-32 for the patch, upgrade, or suggested workaround information.
https://www.qnap.com/zh-tw/security-advisory/qsa-21-32
Refer to QNAP QSA-21-30 for the patch, upgrade, or suggested workaround information.