Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-34360: Cross-Site Request Forgery Vulnerability in Proxy Server - Security Advisory

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later

CVE
#csrf#vulnerability

<< Back to Security Advisory List

  • Release date: May 26, 2022
  • Security ID: QSA-22-18
  • Severity: Medium
  • CVE identifier: CVE-2021-34360
  • Affected products: QNAP NAS running Proxy Server
  • Status: Resolved

Summary

A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP NAS running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code.

We have already fixed this vulnerability in the following versions of Proxy Server:

  • QTS 4.5.x, QTS 5.0.x: Proxy Server 1.4.2 (2021/12/30) and later
  • QuTS hero h5.0.x: Proxy Server 1.4.3 (2022/01/18) and later
  • QuTScloud c4.5.x, QuTScloud c5.0.x: Proxy Server 1.4.2 (2021/12/30) and later

Recommendation

To fix the vulnerability, we recommend updating Proxy Server to the latest version.

Updating Proxy Server

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
  2. Open the App Center and then click .
    A search box appears.
  3. Enter "Proxy Server".
    Proxy Server appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your application is already up to date.
  5. Click OK.
    The system updates the application.

Acknowledgements: Tony Martin, a security researcher

Revision History: V1.0 (May 26, 2022) - Published

Related news

Roundtable: Amid Cyberattack Frenzy, How Can QNAP Customers Protect the Business?

Our roundtable of cybersecurity experts weighs in on what makes QNAP network-attached storage catnip for attackers, and what organizations can do about it.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907