Headline
CVE-2021-34358: CSRF Vulnerability in QmailAgent - Security Advisory
We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later
<< Back to Security Advisory List
- Release date: November 19, 2021
- Security ID: QSA-21-49
- Severity: Medium
- CVE identifier: CVE-2021-34358
- Affected products: QNAP NAS running QmailAgent
- Status: Resolved
Summary
A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running QmailAgent. If exploited, this vulnerability allows remote attackers to trick a victim into performing unintended actions on the web application while the victim is logged in.
We have already fixed this vulnerability in the following versions of QmailAgent:
- QmailAgent 3.0.2 (2021/08/25) and later
Recommendation
To fix the vulnerability, we recommend updating QmailAgent to the latest version.
Updating QmailAgent
- Log on to QTS or QuTS hero as administrator.
- Open the App Center and then click
.
A search box appears. - Type “QmailAgent” and then press ENTER.
QmailAgent appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your QmailAgent is already up to date. - Click OK.
The application is updated.
Acknowledgements: Tony Martin, a security researcher
Revision History: V1.0 (November 19, 2021) - Published