Severity

High

Analysis Summary

CVE-2021-34352 

QNAP EOL could allow a remote attacker to execute commands on the system, caused by a command injection vulnerability when running QVR. A remote attacker could exploit the vulnerability to execute arbitrary commands to execute commands on the system.

CVE-2021-34354; CVE-2021-34356 

QNAP NAS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when running Photo Station. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-34355 

QNAP NAS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when running Photo Station. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact

• Command Execution
• Cross-Site Scripting
• Credential Theft

Affected Vendors

• QNAP

Affected Products

• QNAP Photo Station
• QNAP QVR

Remediation

Refer to QNAP Advisory for patch, upgrade, or suggested workaround information.

CVE-2021-34352

CVE-2021-34354 ; CVE-2021-34356

CVE-2021-34355