CVE-2018-19943

Warning

EPSS 6.46%
Published 28.10.2020 18:15:12
Last modified 21.11.2024 03:58:51
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later

Affected products Warnungen 1 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version < 4.2.6

Qnap ≫ Qts Version >= 4.3.1.0013 < 4.3.3.1252

Qnap ≫ Qts Version >= 4.3.4 < 4.3.4.1282

Qnap ≫ Qts Version >= 4.3.6 < 4.3.6.1263

Qnap ≫ Qts Version >= 4.4.0 < 4.4.1.1261

Qnap ≫ Qts Version >= 4.4.2 < 4.4.2.1270

Qnap ≫ Qts Version4.2.6 Update-

Qnap ≫ Qts Version4.2.6 Updatebuild_20170517

Qnap ≫ Qts Version4.2.6 Updatebuild_20190322

Qnap ≫ Qts Version4.2.6 Updatebuild_20190730

Qnap ≫ Qts Version4.2.6 Updatebuild_20190921

Qnap ≫ Qts Version4.2.6 Updatebuild_20191107

Qnap ≫ Qts Version4.2.6 Updatebuild_20200109

Qnap ≫ Qts Version4.2.6 Updatebuild_20200421

Qnap ≫ Qts Version4.2.6 Updatebuild_20200611

Qnap ≫ Qts Version4.2.6 Updatebuild_20200821

24.05.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

QNAP NAS File Station Cross-Site Scripting Vulnerability

Vulnerability

A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	6.46%	0.907

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@qnapsecurity.com.tw	8	1.3	6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

https://www.qnap.com/zh-tw/security-advisory/qsa-20-01

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-19943

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-19943

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-19943

EUVD