9.8

CVE-2020-36195

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version < 4.3.3
QnapQts Version >= 4.3.4 < 4.3.6
QnapQts Version4.3.3
QnapQts Version4.3.3.0095
QnapQts Version4.3.3.0096
QnapQts Version4.3.3.0136
QnapQts Version4.3.3.0154
QnapQts Version4.3.3.0174
QnapQts Version4.3.3.0188
QnapQts Version4.3.3.0210
QnapQts Version4.3.3.0229
QnapQts Version4.3.3.0238
QnapQts Version4.3.3.0262
QnapQts Version4.3.3.0299
QnapQts Version4.3.3.0351
QnapQts Version4.3.3.0353
QnapQts Version4.3.3.0361
QnapQts Version4.3.3.0369
QnapQts Version4.3.3.0378
QnapQts Version4.3.3.0396
QnapQts Version4.3.3.0404
QnapQts Version4.3.3.0416
QnapQts Version4.3.3.0418
QnapQts Version4.3.3.0448
QnapQts Version4.3.3.0514
QnapQts Version4.3.3.0546
QnapQts Version4.3.3.0570
QnapQts Version4.3.3.0868
QnapQts Version4.3.3.0998
QnapQts Version4.3.3.1051
QnapQts Version4.3.3.1098
QnapQts Version4.3.3.1161
QnapQts Version4.3.3.1252
QnapQts Version4.3.3.1315
QnapQts Version4.3.3.1386
QnapQts Version4.3.3.1432
QnapQts Version4.3.6 Update-
QnapQts Version4.3.6.0895
QnapQts Version4.3.6.0907
QnapQts Version4.3.6.0923
QnapQts Version4.3.6.0944
QnapQts Version4.3.6.0959
QnapQts Version4.3.6.0979
QnapQts Version4.3.6.0993
QnapQts Version4.3.6.1013
QnapQts Version4.3.6.1033
QnapQts Version4.3.6.1070
QnapQts Version4.3.6.1154
QnapQts Version4.3.6.1218
QnapQts Version4.3.6.1263
QnapQts Version4.3.6.1286
QnapQts Version4.3.6.1333
QnapQts Version4.3.6.1411
QnapQts Version4.3.6.1446
QnapMedia Streaming Add-on Version < 430.1.8.10
   QnapQts Version4.3.3
QnapMedia Streaming Add-on Version < 430.1.8.8
   QnapQts Version4.3.6
QnapMultimedia Console Version < 1.3.4
   QnapQts Version >= 4.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.02% 0.821
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
security@qnapsecurity.com.tw 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-943 Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.