CVSS: 3.3EPSS: 0%CPEs: 17EXPL: 0CVE-2022-27598 – QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances)
https://notcve.org/view.php?id=CVE-2022-27598
29 Mar 2023 — A vulnerability has been reported to affect QNAP operating systems. If exploited, the out-of-bounds read vulnerability allows remote authenticated administrators to get secret values. The vulnerability affects the following QNAP operating systems: QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) We have already fixed the vulnerability in the following versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later • https://www.qnap.com/en/security-advisory/qsa-23-06 • CWE-125: Out-of-bounds Read •
CVSS: 10.0EPSS: 36%CPEs: 11EXPL: 0CVE-2022-27593 – QNAP Photo Station Externally Controlled Reference Vulnerability
https://notcve.org/view.php?id=CVE-2022-27593
08 Sep 2022 — An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later Se ha informado una vulnerabilidad de re... • https://www.qnap.com/en/security-advisory/qsa-22-24 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-34360 – CSRF Bypass in Proxy Server
https://notcve.org/view.php?id=CVE-2021-34360
26 May 2022 — A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP device running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Proxy Server: QTS 4.5.x: Proxy Server 1.4.2 ( 2021/12/30 ) and later QuTS hero h5.0.0: Proxy Server 1.4.3 ( 2022/01/18 ) and later QuTScloud c4.5.6: Proxy Server 1.4.2 ( 2021/12/30 ) and later Se ha informado de una vulnerabilidad de tipo cross-si... • https://www.qnap.com/en/security-advisory/qsa-22-18 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 0CVE-2021-44054 – Open redirect
https://notcve.org/view.php?id=CVE-2021-44054
05 May 2022 — An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 2022... • https://www.qnap.com/en/security-advisory/qsa-22-16 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 19EXPL: 0CVE-2021-44053 – Reflected XSS
https://notcve.org/view.php?id=CVE-2021-44053
05 May 2022 — A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later Se... • https://www.qnap.com/en/security-advisory/qsa-22-16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 19EXPL: 0CVE-2021-44052 – Arbitrary file read
https://notcve.org/view.php?id=CVE-2021-44052
05 May 2022 — An improper link resolution before file access ('Link Following') vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, and QTS. If exploited, this vulnerability allows remote attackers to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, and QTS: QuTScloud c5.0.1.1998 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTS her... • https://www.qnap.com/en/security-advisory/qsa-22-16 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.8EPSS: 0%CPEs: 19EXPL: 0CVE-2021-44051 – Command injection
https://notcve.org/view.php?id=CVE-2021-44051
05 May 2022 — A command injection vulnerability has been reported to affect QNAP NAS running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1986 build 20220324 and later QTS 5.0.0.1986 build 20220324 and later Se ha informado de una vulnerabilidad de inyección de comandos que afecta a los NAS de QNAP que ejec... • https://www.qnap.com/en/security-advisory/qsa-22-16 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-38693 – Path Traversal in thttpd
https://notcve.org/view.php?id=CVE-2021-38693
05 May 2022 — A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 202203... • https://www.qnap.com/en/security-advisory/qsa-22-13 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-38674 – Reflected XSS Vulnerability in TFTP
https://notcve.org/view.php?id=CVE-2021-38674
07 Jan 2022 — A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QuTS hero h4.5.4.1771 build 20210825 and later QTS 4.5.4.1787 build 20210910 and later QuTScloud c4.5.7.1864 and later Se ha informado de una vulnerabilidad de tipo cross-site scripting (XSS) que afecta a QTS, QuTS hero y QuTScl... • https://www.qnap.com/en/security-advisory/qsa-21-63 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-38687 – Stack Overflow Vulnerability in Surveillance Station
https://notcve.org/view.php?id=CVE-2021-38687
29 Dec 2021 — A stack buffer overflow vulnerability has been reported to affect QNAP NAS running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. We have already fixed this vulnerability in the following versions of Surveillance Station: QTS 5.0.0 (64 bit): Surveillance Station 5.2.0.4.2 ( 2021/10/26 ) and later QTS 5.0.0 (32 bit): Surveillance Station 5.2.0.3.2 ( 2021/10/26 ) and later QTS 4.3.6 (64 bit): Surveillance Station 5.1.5.4.6 ( 2021/10/26 ) and later QTS 4.3.6 ... • https://www.qnap.com/en/security-advisory/qsa-21-46 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •