Search

Security ID : QSA-21-11

SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On

  • Release date : April 16, 2021

  • CVE identifier : CVE-2020-36195

  • Affected products: QNAP NAS running Multimedia Console or the Media Streaming add-on

Severity

Critical

Status

Resolved

Summary

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on.

If exploited, the vulnerability allows remote attackers to obtain application information.

We have already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on.

  • QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later
  • QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later
  • QTS 4.4.x and later: Multimedia Console 1.3.4 and later

We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively:

  • QTS 4.3.3.1624 Build 20210416 and later
  • QTS 4.3.6.1620 Build 20210322 and later

Recommendation

To fix the vulnerability, we recommend updating Multimedia Console or the Media Streaming add-on to the latest version. Additionally for devices running QTS 4.3.3 and QTS 4.3.6, updating QTS is highly recommended.

Updating QTS

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating Multimedia Console

  1. Log on to QTS as administrator.
  2. Open the App Center and then click .
    A search box appears.
  3. Type “Multimedia Console” and then press ENTER.
    Multimedia Console appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your Multimedia Console is already up to date.
  5. Click OK.
    The application is updated.

Updating the Media Streaming Add-On

  1. Log on to QTS as administrator.
  2. Open the App Center and then click .
    A search box appears.
  3. Type “Media Streaming add-on” and then press ENTER.
    The Media Streaming add-on appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your Media Streaming add-on is already up to date.
  5. Click OK.
    The application is updated.

Acknowledgements: Yaniv Puyeski

Revision History:
V2.0 (April 29, 2021) - Minor correction
V1.0 (April 16, 2021) - Published

Choose specification

      Show more Less

      This site in other countries/regions:

      open menu
      back to top