CVE-2021-28812 – Command Injection Vulnerability in Video Station
https://notcve.org/view.php?id=CVE-2021-28812
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. • https://www.qnap.com/zh-tw/security-advisory/qsa-21-21 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVE-2021-33181
https://notcve.org/view.php?id=CVE-2021-33181
Server-Side Request Forgery (SSRF) vulnerability in webapi component in Synology Video Station before 2.4.10-1632 allows remote authenticated users to send arbitrary request to intranet resources via unspecified vectors. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en el componente webapi en Synology Video Station versiones anteriores a 2.4.10-1632, permite a usuarios autenticados remotos enviar peticiones arbitrarias a los recursos de la intranet por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_21_04 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-7184
https://notcve.org/view.php?id=CVE-2019-7184
This cross-site scripting (XSS) vulnerability in Video Station allows remote attackers to inject and execute scripts on the administrator’s management console. To fix this vulnerability, QNAP recommend updating Video Station to their latest versions. Esta vulnerabilidad de secuencias de comandos entre sitios (XSS) en Video Station permite a los atacantes remotos inyectar y ejecutar secuencias de comandos en la consola de administración del administrador. Para corregir esta vulnerabilidad, QNAP recomienda actualizar Video Station a sus últimas versiones. • https://www.qnap.com/zh-tw/security-advisory/nas-201911-27 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-13071
https://notcve.org/view.php?id=CVE-2017-13071
QNAP has already patched this vulnerability. This security concern allows a remote attacker to run arbitrary commands on the QNAP Video Station 5.1.3 (for QTS 4.3.3), 5.2.0 (for QTS 4.3.4), and earlier. QNAP ya ha parcheado esta vulnerabilidad. Este problema de seguridad permite que un atacante remoto ejecute comandos arbitrarios en QNAP Video Station 5.1.3 (para QTS 4.3.3), 5.2.0 (para QTS 4.3.4) y anteriores. • https://www.qnap.com/zh-tw/security-advisory/nas-201711-21 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2017-9556
https://notcve.org/view.php?id=CVE-2017-9556
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter. Una vulnerabildad de tipo Cross-Site Scripting (XSS) en Video Metadata Editor en Synology Video Station en versiones anteriores a la 2.3.0-1435 permite que atacantes remotos autenticados inyecten script web o HTML arbitrario mediante el parámetro título. • https://www.synology.com/en-global/support/security/Synology_SA_17_39_Video_Station • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •