Security ID : NAS-201811-29
Security Advisory for XSS Vulnerability in Qsync Central
Release date : November 29, 2018
CVE identifier : CVE-2018-0716
Affected products: QTS 4.2.6 build 20180711 and earlier versions
QTS 4.3.3: Qsync Central 3.0.2 and earlier versions
QTS 4.3.4: Qsync Central 3.0.3 and earlier versions
QTS 4.3.5: Qsync Central 3.0.4 and earlier versions
Severity
Important
Status
Resolved
Summary
A cross-site scripting vulnerability has been reported to affect Qsync Central. If successfully exploited, the vulnerability could allow remote attackers to inject Javascript code in the compromised application.
We have already fixed these issues in following versions.
- QTS 4.2.6: build 20180829 and later
- QTS 4.3.3: Qsync Central 3.0.2.01 and later
- QTS 4.3.4: Qsync Central 3.0.3.01 and later
- QTS 4.3.5: Qsync Central 3.0.4.01 and later
Recommendation
To resolve the issue, you must perform the following:
- QTS 4.2.6: Update QTS to the latest version.
- QTS 4.3.3, 4.3.4, and 4.3.5: Update Qsync Central to the latest version.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Updating Qsync Central
- Log on to QTS as administrator.
- Open the App Center, and then click the Search icon.
A search box appears. - Type “Qsync Central”, and then press ENTER.
The Qsync Central application appears in the search results list. - Click Update.
A confirmation message appears. - Click OK.
The application is updated.
Acknowledgements: Marcin Zieba, information security researcher and pentester
Revision History: V1.0 (November 29, 2018) - Published
