Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-38693: Path Traversal Vulnerability in thttpd - Security Advisory

A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

CVE
Open in Source
#vulnerability#web

<< Back to Security Advisory List

  • Release date: May 6, 2022
  • Security ID: QSA-22-13
  • Severity: Medium
  • CVE identifier: CVE-2021-38693
  • Affected products: Certain QNAP NAS
  • Status: Resolved

Summary

A path traversal vulnerability in thttpd has been reported to affect QNAP devices running QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows attackers to access and read sensitive data.

We have already fixed this vulnerability in the following versions of QTS, QuTS hero, and QuTScloud:

  • QTS 5.0.0.1986 build 20220324 and later
  • QTS 4.5.4.1991 build 20220329 and later
  • QuTS hero h5.0.0.1949 build 20220215 and later
  • QuTS hero h4.5.4.1951 build 20220218 and later
  • QuTScloud c5.0.1.1949

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Updating QTS, QuTS hero, or QuTScloud

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Acknowledgements:
Guido Giles and Iury Simas from Thomson Reuters
Rafay Baloch, Hammad Shamsi And Muhammad Samak from Cyber Citadel
Qualys

Revision History: V1.0 (May 6, 2022) - Published

Related news

CVE-2021-27759: Security Bulletin: Cross-site Request Forgery vulnerabilities affect HCL BigFix Inventory v9 and v10 (CVE-2021-27758, CVE-2021-27759)

This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application.

CVE-2021-27767: Security Bulletin: HCL BigFix Platform is affected by multiple vulnerabilities around Web Transport Security (TLS), security-related HTTP headers, Privilege Escalation, OpenSSL and zlib

The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.

CVE-2021-27760: Security Bulletin: HCL Notes 11.0 - 11.0.1 FP4 Sametime Embedded chat clients are vulnerable to group chats loading script on restart (CVE-2021-27760)

An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.

CVE-2021-44054: Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud - Security Advisory

An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

CVE-2021-44056: Multiple Vulnerabilities in Video Station - Security Advisory

An improper authentication vulnerability has been reported to affect QNAP device running Video Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Video Station: Video Station 5.5.9 and later Video Station 5.3.13 and later Video Station 5.1.8 and later

CVE-2021-44057: Vulnerability in Photo Station - Security Advisory

An improper authentication vulnerability has been reported to affect QNAP device running Photo Station. If exploited, this vulnerability allows attackers to compromise the security of the system. We have already fixed this vulnerability in the following versions of Photo Station: Photo Station 6.0.20 ( 2022/02/15 ) and later Photo Station 5.7.16 ( 2022/02/11 ) and later Photo Station 5.4.13 ( 2022/02/11 ) and later

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE