Security ID : QSA-21-60

XSS and Open Redirect Vulnerabilities in QcalAgent


  • Release date : January 13, 2022

  • CVE identifier : CVE-2021-38677 | CVE-2021-38678

  • Affected products: QNAP NAS running QcalAgent

Severity

Moderate

Status

Resolved


Summary

A cross-site scripting (XSS) vulnerability and an open redirect vulnerability have been reported to affect QNAP NAS running QcalAgent. If exploited, the vulnerabilities allow attackers to inject malicious code and redirect users to an untrusted site that contains malware.

We have already fixed these vulnerabilities in the following versions of QcalAgent:

  • QcalAgent 1.1.7 and later

Recommendation

To fix the vulnerabilities, we recommend updating QcalAgent to the latest version.

Updating QcalAgent

  1. Log on to QTS or QuTS hero as administrator.
  2. Open the App Center and then click .
    A search box appears.
  3. Enter "QcalAgent".
    QcalAgent appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your application is already up to date.
  5. Click OK.
    The application is updated.

Acknowledgements: Tony Martin, a security researcher

Revision History: V1.0 (January 13, 2022) - Published

選擇規格

      顯示更多 隱藏更多

      選擇其他偏好的語言:

      open menu
      back to top