Security News > 2020 > December > QNAP fixes high severity QTS, QES, and QuTS hero vulnerabilities
QNAP has released security updates to fix multiple high severity security vulnerabilities impacting network-attached storage devices running the QES, QTS, and QuTS hero operating systems.
CVE-2020-2503: Stored cross-site scripting QES vulnerability - enables remote attackers to inject malicious code in File Station.
CVE-2016-6903: Command injection QES vulnerability - enables remote attackers to run arbitrary commands in Ishell.
QNAP says that they have already fixed these security issues in QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123, and QuTS hero h4.5.1.1491 build 20201119.
QNAP warned customers in October that some versions of the QTS OS are affected by the critical Windows ZeroLogon vulnerability if the NAS devices were configured as domain controllers.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-12-24 | CVE-2020-2503 | Cross-site Scripting vulnerability in Qnap QES If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. | 5.4 |
2017-04-24 | CVE-2016-6903 | Permissions, Privileges, and Access Controls vulnerability in Lshell Project Lshell 0.9.16 lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. | 9.9 |