Security ID : QSA-20-05
Multiple Vulnerabilities in Helpdesk
Release date : September 9, 2020
CVE identifier : CVE-2018-19946 | CVE-2018-19947 | CVE-2018-19948
Affected products: All QNAP NAS
Severity
Moderate
Status
Resolved
Summary
Three vulnerabilities have been reported to affect earlier versions of Helpdesk.
- CVE-2018-19946: If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.
- CVE-2018-19947: If exploited, this information exposure vulnerability could disclose sensitive information.
- CVE-2018-19948: If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application.
QNAP has already fixed these issues in the following software versions.
- All QTS versions: Helpdesk 3.0.3 and later
Recommendation
To fix these vulnerabilities, we recommend updating Helpdesk to the latest versions.
Updating Helpdesk
- Log on to QTS as administrator.
- Open the App Center, and then click
.
A search box appears. - Type “Helpdesk”, and then press ENTER.
The Helpdesk application appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if you are using the latest version. - Click OK.
The application is updated.
Acknowledgements: Independent Security Evaluators
Revision History: V1.0 (September 9, 2020) - Published
