CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-28805 – Inclusion of Sensitive Information in QSS
https://notcve.org/view.php?id=CVE-2021-28805
Inclusion of sensitive information in the source code has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read application data. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C; versions prior to 1.0.3 build 20210505 on QSW-M2108-2S; versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C; versions prior to 1.0.12 build 20210506 on QSW-M408. Se ha reportado la inclusión de información confidencial en el código fuente que afecta a determinados switches de QNAP que ejecutan QSS. • https://www.qnap.com/zh-tw/security-advisory/qsa-21-24 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-540: Inclusion of Sensitive Information in Source Code •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28801 – Out-of-Bounds Read Vulnerability in QSS
https://notcve.org/view.php?id=CVE-2021-28801
An out-of-bounds read vulnerability has been reported to affect certain QNAP switches running QSS. If exploited, this vulnerability allows attackers to read sensitive information on the system. This issue affects: QNAP Systems Inc. QSS versions prior to 1.0.2 build 20210122 on QSW-M2108-2C; versions prior to 1.0.2 build 20210122 on QSW-M2108-2S; versions prior to 1.0.2 build 20210122 on QSW-M2108R-2C. Se ha reportado una vulnerabilidad de lectura fuera de límites que afecta a determinados switches de QNAP que ejecutan QSS. • https://www.qnap.com/zh-tw/security-advisory/qsa-21-23 • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28810 – Vulnerability in Roon Server
https://notcve.org/view.php?id=CVE-2021-28810
If exploited, this vulnerability allows an attacker to access resources which are not otherwise accessible without proper authentication. Roon Labs has already fixed this vulnerability in the following versions: Roon Server 2021-05-18 and later Si se explota, esta vulnerabilidad permite a un atacante acceder a recursos que no son accesibles de otro modo sin una autenticación adecuada. Roon Labs ya ha corregido esta vulnerabilidad en las siguientes versiones: Roon Server 2021-05-18 y posteriores • https://www.qnap.com/zh-tw/security-advisory/qsa-21-17 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-28812 – Command Injection Vulnerability in Video Station
https://notcve.org/view.php?id=CVE-2021-28812
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Video Station versions prior to 5.5.4 on QTS 4.5.2; versions prior to 5.5.4 on QuTS hero h4.5.2; versions prior to 5.5.4 on QuTScloud c4.5.4. This issue does not affect: QNAP Systems Inc. • https://www.qnap.com/zh-tw/security-advisory/qsa-21-21 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 7.7EPSS: 0%CPEs: 10EXPL: 2CVE-2021-28807 – Post-Authentication Reflected XSS Vulnerability in Q'center
https://notcve.org/view.php?id=CVE-2021-28807
A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already fixed this vulnerability in the following versions of Q’center: QTS 4.5.3: Q’center v1.12.1012 and later QTS 4.3.6: Q’center v1.10.1004 and later QTS 4.3.3: Q’center v1.10.1004 and later QuTS hero h4.5.2: Q’center v1.12.1012 and later QuTScloud c4.5.4: Q’center v1.12.1012 and later Se ha reportado una vulnerabilidad de tipo XSS reflejada después de la autenticación que afecta los NAS de QNAP que ejecuta Q'center. Si es explotada, esta vulnerabilidad permite a atacantes remotos inyectar código malicioso. QNAP ya ha corregido esta vulnerabilidad en las siguientes versiones de Q'center: versiones QTS 4.5.3: Q'center v1.12.1012 y posteriores, versión QTS 4.3.6: Q'center v1.10.1004 y posteriores, versión QTS 4.3.3: Q'center v1.10.1004 y posteriores, versión QuTS hero h4.5.2: Q'center v1.12.1012 y posteriores, versión QuTScloud c4.5.4: Q'center v1.12.1012 y posteriores • https://www.qnap.com/zh-tw/security-advisory/qsa-21-20 https://www.shielder.it/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg https://www.shielder.it/advisories/qnap-qcenter-virtual-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •