Lucene search

QnapCVE-2018-19942

HistoryApr 16, 2021 - 1:15 a.m.

CVE-2018-19942

2021-04-1601:15:12

CWE-79

CWE-80

qnap

web.nvd.nist.gov

cve-2018-19942

cross-site scripting

xss

file station

remote attackers

vulnerability

nvd

security update

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

45.3%

JSON

A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 build 20210202 (and later) QTS 4.5.1.1456 build 20201015 (and later) QTS 4.3.6.1446 build 20200929 (and later) QTS 4.3.4.1463 build 20201006 (and later) QTS 4.3.3.1432 build 20201006 (and later) QTS 4.2.6 build 20210327 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) QuTScloud c4.5.4.1601 build 20210309 (and later) QuTScloud c4.5.3.1454 build 20201013 (and later)

Affected configurations

Nvd

Node

qnapqtsRange<4.2.6

qnapqtsRange4.3.5–4.3.6

qnapqtsRange4.4.0–4.5.1

qnapqtsMatch4.2.6-

qnapqtsMatch4.2.6build_20170517

qnapqtsMatch4.2.6build_20190322

qnapqtsMatch4.2.6build_20190730

qnapqtsMatch4.2.6build_20190921

qnapqtsMatch4.2.6build_20191107

qnapqtsMatch4.2.6build_20200109

qnapqtsMatch4.2.6build_20200421

qnapqtsMatch4.2.6build_20200611

qnapqtsMatch4.2.6build_20200821

qnapqtsMatch4.3.3

qnapqtsMatch4.3.3.0095

qnapqtsMatch4.3.3.0096

qnapqtsMatch4.3.3.0136

qnapqtsMatch4.3.3.0154

qnapqtsMatch4.3.3.0174

qnapqtsMatch4.3.3.0188

qnapqtsMatch4.3.3.0210

qnapqtsMatch4.3.3.0229

qnapqtsMatch4.3.3.0238

qnapqtsMatch4.3.3.0262

qnapqtsMatch4.3.3.0299

qnapqtsMatch4.3.3.0351

qnapqtsMatch4.3.3.0353

qnapqtsMatch4.3.3.0361

qnapqtsMatch4.3.3.0369

qnapqtsMatch4.3.3.0378

qnapqtsMatch4.3.3.0396

qnapqtsMatch4.3.3.0404

qnapqtsMatch4.3.3.0416

qnapqtsMatch4.3.3.0418

qnapqtsMatch4.3.3.0448

qnapqtsMatch4.3.3.0514

qnapqtsMatch4.3.3.0546

qnapqtsMatch4.3.3.0570

qnapqtsMatch4.3.3.0868

qnapqtsMatch4.3.3.0998

qnapqtsMatch4.3.3.1051

qnapqtsMatch4.3.3.1098

qnapqtsMatch4.3.3.1161

qnapqtsMatch4.3.3.1252

qnapqtsMatch4.3.3.1315

qnapqtsMatch4.3.3.1386

qnapqtsMatch4.3.4

qnapqtsMatch4.3.4.0358

qnapqtsMatch4.3.4.0358beta1

qnapqtsMatch4.3.4.0370

qnapqtsMatch4.3.4.0370beta1

qnapqtsMatch4.3.4.0372

qnapqtsMatch4.3.4.0372beta1

qnapqtsMatch4.3.4.0374

qnapqtsMatch4.3.4.0374beta1

qnapqtsMatch4.3.4.0387

qnapqtsMatch4.3.4.0387beta2

qnapqtsMatch4.3.4.0411

qnapqtsMatch4.3.4.0416

qnapqtsMatch4.3.4.0427

qnapqtsMatch4.3.4.0434

qnapqtsMatch4.3.4.0435

qnapqtsMatch4.3.4.0451

qnapqtsMatch4.3.4.0483

qnapqtsMatch4.3.4.0486

qnapqtsMatch4.3.4.0506

qnapqtsMatch4.3.4.0516

qnapqtsMatch4.3.4.0526

qnapqtsMatch4.3.4.0551

qnapqtsMatch4.3.4.0557

qnapqtsMatch4.3.4.0561

qnapqtsMatch4.3.4.0569

qnapqtsMatch4.3.4.0593

qnapqtsMatch4.3.4.0597

qnapqtsMatch4.3.4.0604

qnapqtsMatch4.3.4.0899

qnapqtsMatch4.3.4.1029

qnapqtsMatch4.3.4.1082

qnapqtsMatch4.3.4.1190

qnapqtsMatch4.3.4.1282

qnapqtsMatch4.3.4.1368

qnapqtsMatch4.3.4.1417

qnapqtsMatch4.3.6-

qnapqtsMatch4.3.6.0895

qnapqtsMatch4.3.6.0907

qnapqtsMatch4.3.6.0923

qnapqtsMatch4.3.6.0944

qnapqtsMatch4.3.6.0959

qnapqtsMatch4.3.6.0979

qnapqtsMatch4.3.6.0993

qnapqtsMatch4.3.6.1013

qnapqtsMatch4.3.6.1033

qnapqtsMatch4.3.6.1070

qnapqtsMatch4.3.6.1154

qnapqtsMatch4.3.6.1218

qnapqtsMatch4.3.6.1263

qnapqtsMatch4.3.6.1286

qnapqtsMatch4.3.6.1333

qnapqtsMatch4.3.6.1411

qnapqtsMatch4.5.1-

qnapqtsMatch4.5.2-

qnapquts_heroRange<h4.5.1

qnapquts_heroMatchh4.5.1

qnapquts_heroMatchh4.5.1-

qnapqutscloudRange<c4.5.3

qnapqutscloudMatchc4.5.3-

qnapqutscloudMatchc4.5.4-

VendorProductVersionCPE
qnapqts*cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:-:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20170517:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20190322:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20190730:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20190921:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20191107:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20200109:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20200421:*:*:*:*:*:*
qnapqts4.2.6cpe:2.3:o:qnap:qts:4.2.6:build_20200611:*:*:*:*:*:*

Vendor	Product	Version	CPE
qnap	qts	*	cpe:2.3:o:qnap:qts::::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:-::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20170517::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20190322::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20190730::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20190921::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20191107::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20200109::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20200421::::::
qnap	qts	4.2.6	cpe:2.3:o:qnap:qts:4.2.6:build_20200611::::::

Rows per page:

1-10 of 1051

CNA Affected

[
  {
    "product": "QTS",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "4.5.2.1566 build 20210202",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.5.1.1456 build 20201015",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.3.6.1446 build 20200929",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.3.4.1463 build 20201006",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.3.3.1432 build 20201006",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "4.2.6 build 20210327",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "QuTS hero",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "h4.5.1.1472 build 20201031",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "QuTScloud",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "c4.5.4.1601 build 20210309",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "c4.5.3.1454 build 20201013",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.qnap.com/zh-tw/security-advisory/qsa-21-04

Social References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

45.3%

JSON

Related for CVE-2018-19942