Security ID : NAS-201709-29
Security Advisory for SQL Injection in HelpDesk
Release date : September 29, 2017
CVE identifier : CVE-2017-13068
Affected products: QTS Helpdesk versions 1.1.12 and earlier
Severity
Critical
Status
Resolved
Summary
Kacper Szurek, an independent security researcher, reported a vulnerability affecting QTS HelpDesk through Beyond Security’s SecuriTeam Secure Disclosure program. QNAP acknowledges Mr. Szurek’s discovery and appreciates his efforts.
QNAP has already patched this vulnerability. This security concern allows a remote attacker to perform an SQL injection on the application and obtain application information. A remote attacker does not require any privileges to successfully execute this attack.
This vulnerability is fixed in QTS Helpdesk 1.1.15.
Recommendations
To resolve the issue, you must update your QTS Helpdesk version to 1.1.15:
Upgrading to Helpdesk 1.1.15
- Log on to QTS as administrator.
- Open the App Center and then click the Search icon.
- Type “Helpdesk” and then press ENTER.
- The Helpdesk application appears in the search results list.
- Click Update.
- A confirmation message appears.
- Click OK.
- The application is updated.
Revision History: 2017-09-29
