Vulnerabilities > CVE-2021-44054 - Open Redirect vulnerability in Qnap Qts, Quts Hero and Qutscloud

CVSS 6.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

qnap

CWE-601

NVD

Published: 2022-05-05

Updated: 2023-11-14

Summary

An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

Vulnerable Configurations

Part	Description	Count
OS	Qnap Qnap QTS 4.2.6 Qnap QTS 4.3.3.0174 Qnap QTS 4.3.3.0188 Qnap QTS 4.3.3.0210 Qnap QTS 4.3.3.0229 Qnap QTS 4.3.3.0238 Qnap QTS 4.3.3.0262 Qnap QTS 4.3.3.0299 Qnap QTS 4.3.3.0351 Qnap QTS 4.3.3.0353 Qnap QTS 4.3.3.0361 Qnap QTS 4.3.3.0369 Qnap QTS 4.3.3.0378 Qnap QTS 4.3.3.0396 Qnap QTS 4.3.3.0404 Qnap QTS 4.3.3.0416 Qnap QTS 4.3.3.0418 Qnap QTS 4.3.3.0448 Qnap QTS 4.3.3.0514 Qnap QTS 4.3.3.0546 Qnap QTS 4.3.3.0570 Qnap QTS 4.3.3.0868 Qnap QTS 4.3.3.0998 Qnap QTS 4.3.3.1051 Qnap QTS 4.3.3.1098 Qnap QTS 4.3.3.1161 Qnap QTS 4.3.3.1252 Qnap QTS 4.3.3.1315 Qnap QTS 4.3.3.1386 Qnap QTS 4.3.3.1432 Qnap QTS 4.3.3.1624 Qnap QTS 4.3.3.1677 Qnap QTS 4.3.3.1693 Qnap QTS 4.3.3.1799 Qnap QTS 4.3.3.1864 Qnap QTS 4.4.0.0883 Qnap QTS 4.4.0.0931 Qnap QTS 4.4.0.0979 Qnap QTS 4.4.1 Qnap QTS 4.4.1.0948 Qnap QTS 4.4.1.0949 Qnap QTS 4.4.1.0978 Qnap QTS 4.4.1.0998 Qnap QTS 4.4.1.0999 Qnap QTS 4.4.1.1031 Qnap QTS 4.4.1.1033 Qnap QTS 4.4.1.1064 Qnap QTS 4.4.1.1081 Qnap QTS 4.4.1.1086 Qnap QTS 4.4.1.1101 Qnap QTS 4.4.1.1117 Qnap QTS 4.4.1.1146 Qnap QTS 4.4.1.1201 Qnap QTS 4.4.1.1216 Qnap QTS 4.4.1.1261 Qnap QTS 4.4.2 Qnap QTS 4.4.2.1231 Qnap QTS 4.4.2.1270 Qnap QTS 4.4.3 Qnap QTS 4.4.3.1354 Qnap QTS 4.4.3.1381 Qnap QTS 4.4.3.1400 Qnap QTS 4.4.3.1421 Qnap QTS 4.4.3.1439 Qnap QTS 4.4.3.1444 Qnap QTS 4.5.1 Qnap QTS 4.5.1.1456 Qnap QTS 4.5.1.1461 Qnap QTS 4.5.1.1465 Qnap QTS 4.5.1.1480 Qnap QTS 4.5.1.1495 Qnap QTS 4.5.1.1540 Qnap QTS 4.5.2 Qnap QTS 4.5.2.1566 Qnap QTS 4.5.2.1594 Qnap QTS 4.5.2.1630 Qnap QTS 4.5.3 Qnap QTS 4.5.3.1652 Qnap QTS 4.5.3.1670 Qnap QTS 4.5.3.1697 Qnap QTS 4.5.4 Qnap QTS 4.5.4.1715 Qnap QTS 4.5.4.1723 Qnap QTS 4.5.4.1741 Qnap QTS 4.5.4.1787 Qnap QTS 4.5.4.1800 Qnap QTS 4.5.4.1892 Qnap QTS 4.5.4.1931 Qnap QTS 4.3.6.0895 Qnap QTS 4.3.6.0907 Qnap QTS 4.3.6.0923 Qnap QTS 4.3.6.0944 Qnap QTS 4.3.6.0959 Qnap QTS 4.3.6.0979 Qnap QTS 4.3.6.0993 Qnap QTS 4.3.6.1013 Qnap QTS 4.3.6.1033 Qnap QTS 4.3.6.1070 Qnap QTS 4.3.6.1154 Qnap QTS 4.3.6.1218 Qnap QTS 4.3.6.1263 Qnap QTS 4.3.6.1286 Qnap QTS 4.3.6.1333 Qnap QTS 4.3.6.1411 Qnap QTS 4.3.6.1446 Qnap QTS 4.3.6.1620 Qnap QTS 4.3.6.1663 Qnap QTS 4.3.6.1711 Qnap QTS 4.3.6.1750 Qnap QTS 4.3.6.1831 Qnap QTS 4.3.6.1907 Qnap QTS 4.3.4.0899 Qnap QTS 4.3.4.1029 Qnap QTS 4.3.4.1082 Qnap QTS 4.3.4.1190 Qnap QTS 4.3.4.1282 Qnap QTS 4.3.4.1368 Qnap QTS 4.3.4.1417 Qnap QTS 4.3.4.1463 Qnap QTS 4.3.4.1632 Qnap QTS 4.3.4.1652 Qnap Quts Hero - Qnap Quts Hero 4.5.4.2374 Qnap Quts Hero 5.0.1.2376 Qnap Quts Hero H4.5.0 Qnap Quts Hero H4.5.0.1279 Qnap Quts Hero H4.5.0.1308 Qnap Quts Hero H4.5.0.1352 Qnap Quts Hero H4.5.0.1409 Qnap Quts Hero H4.5.1 Qnap Quts Hero H4.5.1.1472 Qnap Quts Hero H4.5.1.1491 Qnap Quts Hero H4.5.1.1582 Qnap Quts Hero H4.5.2 Qnap Quts Hero H4.5.2.1638 Qnap Quts Hero H4.5.3 Qnap Quts Hero H4.5.4 Qnap Quts Hero H5.0.0.1772 Qnap Quts Hero H5.0.0.1844 Qnap Quts Hero H5.0.0.1856 Qnap Quts Hero H5.0.0.1892 Qnap Quts Hero H5.0.0.1900 Qnap Quts Hero H5.0.0.1949 Qnap Qutscloud - Qnap Qutscloud C4.5.1 Qnap Qutscloud C4.5.1.1350 Qnap Qutscloud C4.5.2.1379 Qnap Qutscloud C4.5.3 Qnap Qutscloud C4.5.4 Qnap Qutscloud C4.5.6 Qnap Qutscloud C4.5.6.1755 Qnap Qutscloud C5.0.0.1919 Qnap Qutscloud C5.0.1.1949	222
Application	Qnap Qnap QTS *	1

Common Weakness Enumeration (CWE)

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Common Attack Pattern Enumeration and Classification (CAPEC)

Fake the Source of Data
An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

References

https://www.qnap.com/en/security-advisory/qsa-22-16