Search

Security ID : NAS-201911-27

Security Advisory for Vulnerabilities in File Station, Video Station and Music Station

  • Release date : November 27, 2019

  • CVE identifier : CVE-2019-7183 | CVE-2019-7184 | CVE-2019-7185

  • Affected products: QNAP NAS devices

Severity

Important

Status

Resolved

Summary

Several vulnerabilities have been reported to affect multiple versions of QTS, Video Station and Music Station.

  • CVE-2019-7183: This improper link resolution vulnerability allows remote attackers to access system files.
  • CVE-2019-7184: This cross-site scripting (XSS) vulnerability in Video Station allows remote attackers to inject and execute scripts on the administrator’s management console.
  • CVE-2019-7185: This cross-site scripting (XSS) vulnerability in Music Station allows remote attackers to inject and execute scripts on the administrator’s management console.

We have already fixed these issues in the following software versions.

QTS:

  • QTS 4.4.1: build 20191109 and later
  • QTS 4.3.6: build 20190919 and later
  • QTS 4.3.4: build 20190921 and later
  • QTS 4.3.3: build 20190921 and later
  • QTS 4.2.6: build 20191107 and later

Video Station:

  • QTS 4.4.1: Video Station 5.4.3 and later
  • QTS 4.3.4 - QTS 4.4.0: Video Station 5.3.10 and later

Music Station:

  • QTS 4.4.1: Music Station 5.3.5 and later
  • QTS 4.3.6 - QTS 4.4.0: Music Station 5.2.7 and later
  • QTS 4.3.0 - QTS 4.3.4: Music Station 5.1.11 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS, Video Station and Music Station to their latest versions.

Important:

Regardless of which version of QTS you currently use, QNAP strongly recommends updating your QTS to the latest available version for your NAS model to ensure that your device can benefit from vulnerability fixes. You can check the product support status of your NAS model.

Installing the QTS Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating Video Station

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click .
    A search box appears.
  3. Type “Video Station”, and then press ENTER.
    The Video Station application appears in the search results list.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if you are using the latest version.
  5. Click OK.
    The application is updated.

Updating Music Station

  1. Log on to QTS as administrator.
  2. Open the App Center, and then click .
    A search box appears.
  3. Type “Music Station”, and then press ENTER.
    The Music Station application appears in the search results list.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if you are using the latest version.
  5. Click OK.
    The application is updated.

 

Acknowledgements: CyCarrier CSIRT

Revision History: V2.0 (December 5, 2019) - Updated
V1.0 (November 27, 2019) - Published

Válassza ki a specifikációt

      Mutass többet Kevesebb

      Ez a webhely más országokban / régiókban:

      open menu
      back to top