Headline
CVE-2021-38680: Reflected XSS Vulnerability in Kazoo Server - Security Advisory
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.20 and later
<< Back to Security Advisory List
- Release date: December 10, 2021
- Security ID: QSA-21-54
- Severity: Medium
- CVE identifier: CVE-2021-38680
- Affected products: QNAP NAS running Kazoo Server
- Status: Resolved
Summary
A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code.
We have already fixed this vulnerability in the following versions of Kazoo Server:
- Kazoo Server 4.11.20 and later
Recommendation
To fix the vulnerability, we recommend updating Kazoo Server to the latest version.
Updating Kazoo Server
- Log on to QTS or QuTS hero as administrator.
- Open the App Center and then click .
A search box appears. - Enter "Kazoo Server".
Kazoo Server appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Kazoo Server is already up to date. - Click OK.
The application is updated.
Acknowledgements: XUELIANG SUN
Revision History: V1.0 (December 10, 2021) - Published