CVE-2021-28806

EPSS 0.25%
Published 03.06.2021 03:15:08
Last modified 21.11.2024 06:00:14
Source security@qnapsecurity.com.tw
Teams watchlist Login
Open Login

A DOM-based XSS vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QTS versions prior to 4.5.3.1652 Build 20210428. QNAP Systems Inc. QuTS hero versions prior to h4.5.2.1638 Build 20210414. QNAP Systems Inc. QuTScloud versions prior to c4.5.5.1656 Build 20210503. This issue does not affect: QNAP Systems Inc. QTS 4.3.6; 4.3.3.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Qnap ≫ Qts Version < 4.5.3.1652

Qnap ≫ Quts Hero Version < h4.5.2.1638

Qnap ≫ Qutscloud Version < c4.5.5.1656

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.25%	0.45

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security@qnapsecurity.com.tw	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.qnap.com/zh-tw/security-advisory/qsa-21-22

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-28806

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-28806

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-28806

EUVD