CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38685 – Command Injection Vulnerability in VioStor
https://notcve.org/view.php?id=CVE-2021-38685
A command injection vulnerability has been reported to affect QNAP device, VioStor. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR FW 5.1.6 build 20211109 and later Se ha informado de una vulnerabilidad de inyección de comandos que afecta al dispositivo de QNAP, VioStor. Si es explotada, esta vulnerabilidad permite a atacantes remotos ejecutar comandos arbitrarios. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QVR: QVR FW 5.1.6 build 20211109 y posteriores • https://www.qnap.com/en/security-advisory/qsa-21-51 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38681 – Reflected XSS Vulnerability in Ragic Cloud DB
https://notcve.org/view.php?id=CVE-2021-38681
A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic. Se ha informado de una vulnerabilidad de tipo cross-site scripting (XSS) reflejado que afecta al NAS de QNAP que ejecuta Ragic Cloud DB. Si es explotado, esta vulnerabilidad permite a atacantes remotos inyectar código malicioso. • https://www.qnap.com/en/security-advisory/qsa-21-48 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34358 – CSRF Vulnerability in QmailAgent
https://notcve.org/view.php?id=CVE-2021-34358
We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QmailAgent: QmailAgent versiones 3.0.2 ( 25/08/2021) y posteriores • https://www.qnap.com/en/security-advisory/qsa-21-49 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-38684 – Buffer Overflow Vulnerability in Multimedia Console
https://notcve.org/view.php?id=CVE-2021-38684
A stack buffer overflow vulnerability has been reported to affect QNAP NAS running Multimedia Console. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of Multimedia Console: Multimedia Console 1.4.3 ( 2021/10/05 ) and later Multimedia Console 1.5.3 ( 2021/10/05 ) and later Se ha informado de una vulnerabilidad de desbordamiento del búfer de la pila que afecta al NAS de QNAP que ejecuta la consola multimedia. Si se explota, esta vulnerabilidad permite a los atacantes ejecutar código arbitrario. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de Multimedia Console: Multimedia Console 1.4.3 ( 2021/10/05 ) y posteriores Multimedia Console 1.5.3 ( 2021/10/05 ) y posteriores • https://www.qnap.com/en/security-advisory/qsa-21-45 • CWE-787: Out-of-bounds Write •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-34357 – Reflected XSS Vulnerability in QmailAgent
https://notcve.org/view.php?id=CVE-2021-34357
A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QmailAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QmailAgent: QmailAgent 3.0.2 ( 2021/08/25 ) and later Se ha informado de una vulnerabilidad de tipo cross-site scripting (XSS) que afecta al dispositivo de QNAP que ejecuta QmailAgent. Si es explotada, esta vulnerabilidad permite a atacantes remotos inyectar código malicioso. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QmailAgent: QmailAgent versión 3.0.2 (25/08/2021) y posteriores • https://www.qnap.com/en/security-advisory/qsa-21-47 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •