Security ID : QSA-21-44
Command Injection Vulnerability in the Media Streaming Add-On
- Release date : October 22, 2021 
- CVE identifier : CVE-2021-34362 
- Affected products: QNAP NAS running the Media Streaming add-on 
Severity
Important
Status
Resolved
Summary
A command injection vulnerability has been reported to affect QNAP NAS running the Media Streaming add-on. If exploited, this vulnerability allows remote attackers to run arbitrary commands.
We have already fixed this vulnerability in the following versions of the Media Streaming add-on:
- QTS 5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QTS 4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QTS 4.3.6: Media Streaming add-on 430.1.8.12 (2021/08/20) and later
- QTS 4.3.3: Media Streaming add-on 430.1.8.12 (2021/09/29) and later
- QuTS hero h5.0.0: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
- QuTS hero h4.5.4: Media Streaming add-on 500.0.0.3 (2021/08/20) and later
Recommendation
To fix the vulnerability, we recommend updating the Media Streaming add-on to the latest version.
Updating the Media Streaming Add-On
- Log on to QTS as administrator.
- Open the App Center and then click  . .
 A search box appears.
- Type “Media Streaming add-on” and then press ENTER.
 The Media Streaming add-on appears in the search results.
- Click Update.
 A confirmation message appears.
 Note: The Update button is not available if your Media Streaming add-on is already up to date.
- Click OK.
 The application is updated.
Acknowledgements: Tony Martin, a security researcher
Revision History: V1.0 (October 22, 2021) - Published
 
                                     
                                    