Lucene search

[email protected]CVE-2021-44053

HistoryMay 06, 2022 - 12:00 a.m.

CVE-2021-44053

2022-05-0600:00:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2021-44053

cross-site scripting

xss

qnap

qts

qutshero

qutscloud

security vulnerability

remote code injection

patch

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.7%

JSON

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later

Affected configurations

NVD

Node

qnapqtsRange5.0.0.1716–5.0.0.1986

qnapqtsRange4.3.3.0174–4.3.3.1945

qnapqtsRange4.3.4.0899–4.3.4.1976

qnapqtsRange4.3.6.0895–4.3.6.1965

qnapqtsRange4.4.0.0883–4.5.4.1991

qnapqtsMatch4.2.6build_20170517

qnapqtsMatch4.2.6build_20190322

qnapqtsMatch4.2.6build_20190730

qnapqtsMatch4.2.6build_20190921

qnapqtsMatch4.2.6build_20191107

qnapqtsMatch4.2.6build_20200109

qnapqtsMatch4.2.6build_20200421

qnapqtsMatch4.2.6build_20200611

qnapqtsMatch4.2.6build_20200821

qnapqtsMatch4.2.6build_20210327

qnapqtsMatch4.2.6build_20211215

qnapquts_heroRange<h4.5.4.1771

qnapquts_heroRangeh5.0.0.1772–h5.0.0.1986

qnapqutscloudRange<c5.0.1.1998

CPENameOperatorVersion
qnap:qtsqnap qtslt5.0.0.1986
qnap:qtsqnap qtslt4.3.3.1945
qnap:qtsqnap qtslt4.3.4.1976
qnap:qtsqnap qtslt4.3.6.1965
qnap:qtsqnap qtslt4.5.4.1991
qnap:qtsqnap qtseq4.2.6
qnap:quts_heroqnap quts herolth4.5.4.1771
qnap:quts_heroqnap quts herolth5.0.0.1986
qnap:qutscloudqnap qutscloudltc5.0.1.1998

CPE	Name	Operator	Version
qnap:qts	qnap qts	lt	5.0.0.1986
qnap:qts	qnap qts	lt	4.3.3.1945
qnap:qts	qnap qts	lt	4.3.4.1976
qnap:qts	qnap qts	lt	4.3.6.1965
qnap:qts	qnap qts	lt	4.5.4.1991
qnap:qts	qnap qts	eq	4.2.6
qnap:quts_hero	qnap quts hero	lt	h4.5.4.1771
qnap:quts_hero	qnap quts hero	lt	h5.0.0.1986
qnap:qutscloud	qnap qutscloud	lt	c5.0.1.1998

CNA Affected

[
  {
    "product": "QTS",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "4.5.4.1991 build 20220329",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "5.0.0.1986 build 20220324",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "QuTS hero",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "h5.0.0.1986 build 20220324",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "h4.5.4.1971 build 20220310",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "QuTScloud",
    "vendor": "QNAP Systems Inc.",
    "versions": [
      {
        "lessThan": "c5.0.1.1949",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.qnap.com/en/security-advisory/qsa-22-16

Social References

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.7%

JSON

Related for CVE-2021-44053

prion1 nvd1 cvelist1 openvas3 thn1