Search

Security ID : NAS-201911-26

Security Advisory for Stored XSS Vulnerability in QTS Event Notification

  • Release date : November 26, 2019

  • CVE identifier : CVE-2019-7197

  • Affected products: QNAP NAS devices

Severity

Important

Status

Resolved

Summary

A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console.

We have already fixed this issue in the following QTS versions.

  • QTS 4.4.1: build 20190918 and later
  • QTS 4.3.6: build 20190919 and later
  • QTS 4.3.4: build 20190921 and later
  • QTS 4.3.3: build 20190921 and later
  • QTS 4.2.6: build 20190921 and later

Recommendation

To fix this vulnerability, we recommend updating QTS to the latest version.

Installing the QTS Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

 

Acknowledgements: Jérémie Zanone Security Engineer

Revision History: V1.0 (November 26, 2019) - Published

Choose specification

      Show more Less

      Choose Your Country or Region

      open menu
      back to top