Security ID : QSA-20-08
Multiple Vulnerabilities in Helpdesk
Release date : October 7, 2020
CVE identifier : CVE-2020-2506 | CVE-2020-2507
Affected products: Helpdesk
Severity
Critical
Status
Resolved
Summary
Two vulnerabilities have been reported to affect earlier versions of QTS.
- CVE-2020-2506: If exploited, this improper access control vulnerability could allow attackers to gain privileges, or read sensitive information.
- CVE-2020-2507:If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands.
QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions.
Recommendation
To fix the vulnerability, we strongly recommend updating Helpdesk to the latest version.
Updating Helpdesk
- Log on to QTS as administrator.
- Open the App Center, and then click
.
A search box appears. - Type “Helpdesk”, and then press ENTER.
The Helpdesk application appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if you are using the latest version. - Click OK.
The application is updated.
Acknowledgements: Jose Antonio Pérez Piedra
Revision History: V1.1 (March 11, 2021) - CVE-2020-2506 refined
V1.0 (October 7, 2020) - Published
