CVE-2018-19953

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.

Published: Oct 28, 2020
Updated: Apr 13, 2023
CVE: CVE-2018-19953
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
qnap / qts	4.2.6	4.2.6.x
qnap / qts	4.2.6-build_20170517	4.2.6-build_20170517.x
qnap / qts	4.2.6-build_20190322	4.2.6-build_20190322.x
qnap / qts	4.2.6-build_20190730	4.2.6-build_20190730.x
qnap / qts	4.2.6-build_20190921	4.2.6-build_20190921.x
qnap / qts	4.2.6-build_20191107	4.2.6-build_20191107.x
qnap / qts	-	4.2.6
qnap / qts	4.3.1.0013	4.3.3.1161
qnap / qts	4.3.4	4.3.4.1190
qnap / qts	4.3.6	4.3.6.1218
qnap / qts	4.4.0	4.4.1.1201
qnap / qts	4.4.2	4.4.2.1231

https://www.qnap.com/zh-tw/security-advisory/qsa-20-01

Vulnerability Database

289,697

CVE-2018-19953