CVE-2020-36194

EPSS 0.32%
Published 01.07.2021 02:15:07
Last modified 21.11.2024 05:28:59
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

An XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.2.1566 Build 20210202. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 build 20210414. This issue does not affect: QNAP Systems Inc. QTS 4.5.3.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version < 4.5.2.1566

Qnap ≫ Quts Hero Version < h4.5.2.1638

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.32%	0.542

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
security@qnapsecurity.com.tw	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.qnap.com/zh-tw/security-advisory/qsa-21-32

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-36194

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-36194

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-36194

EUVD