Security News > 2020 > December > QNAP fixes high severity QTS, QES, and QuTS hero vulnerabilities

QNAP fixes high severity QTS, QES, and QuTS hero vulnerabilities
2020-12-23 09:59

QNAP has released security updates to fix multiple high severity security vulnerabilities impacting network-attached storage devices running the QES, QTS, and QuTS hero operating systems.

CVE-2020-2503: Stored cross-site scripting QES vulnerability - enables remote attackers to inject malicious code in File Station.

CVE-2016-6903: Command injection QES vulnerability - enables remote attackers to run arbitrary commands in Ishell.

QNAP says that they have already fixed these security issues in QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123, and QuTS hero h4.5.1.1491 build 20201119.

QNAP warned customers in October that some versions of the QTS OS are affected by the critical Windows ZeroLogon vulnerability if the NAS devices were configured as domain controllers.


News URL

https://www.bleepingcomputer.com/news/security/qnap-fixes-high-severity-qts-qes-and-quts-hero-vulnerabilities/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-12-24 CVE-2020-2503 Cross-site Scripting vulnerability in Qnap QES
If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station.
network
low complexity
qnap CWE-79
5.4
5.4
2017-04-24 CVE-2016-6903 Permissions, Privileges, and Access Controls vulnerability in Lshell Project Lshell 0.9.16
lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands.
network
low complexity
lshell-project CWE-264
critical
 9.9
9.9

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Qnap 80 4 97 122 76 299