CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-13072
https://notcve.org/view.php?id=CVE-2017-13072
21 Jun 2018 — Cross-site scripting (XSS) vulnerability in App Center in QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20171213, QTS 4.3.4 build 20171223, and their earlier versions could allow remote attackers to inject Javascript code. Vulnerabilidad Cross-Site Scripting (XSS) en App Center en QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20171213, QTS 4.3.4 build 20171223 y sus versiones anteriores podría permitir que los atacantes remotos inyecten código JavaScript. • https://www.qnap.com/en/security-advisory/nas-201805-16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 0CVE-2018-0712
https://notcve.org/view.php?id=CVE-2018-0712
21 Jun 2018 — Command injection vulnerability in LDAP Server in QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20180402, QTS 4.3.4 build 20180413 and their earlier versions could allow remote attackers to run arbitrary commands or install malware on the NAS. Vulnerabilidad de inyección de comandos en LDAP Server en QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20180402, QTS 4.3.4 build 20180413 y sus versiones anteriores podría permitir que los atacantes remotos ejecuten comandos arbitrarios o instalen malware en el NAS... • http://www.securitytracker.com/id/1041141 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7630
https://notcve.org/view.php?id=CVE-2017-7630
27 Mar 2018 — QNAP QTS 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier allows remote attackers to obtain potentially sensitive information (firmware version and running services) via a request to sysinfoReq.cgi. QNAP QTS 4.2.6 build 20171026, QTS 4.3.3 build 20170727 y anteriores permiten que atacantes remotos obtengan información potencialmente sensible (versión de firmware y servicios en ejecución) mediante una petición en sysinfoReq.cgi. • https://www.qnap.com/zh-tw/security-advisory/nas-201803-23 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7631
https://notcve.org/view.php?id=CVE-2017-7631
27 Mar 2018 — Cross-site scripting (XSS) vulnerability in the share link function of File Station of QNAP 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad de Cross-Site Scripting (XSS) en la función de compartición de enlaces de File Station, en QNAP 4.2.6 build 20171026, QTS 4.3.3 build 20170727 y anteriores, permite que atacantes remotos inyecten scripts web o HTML arbitrarios. • https://www.qnap.com/zh-tw/security-advisory/nas-201803-23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7632
https://notcve.org/view.php?id=CVE-2017-7632
27 Mar 2018 — Cross-site scripting (XSS) vulnerability in File Station of QNAP QTS 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad de Cross-Site Scripting (XSS) en File Station, en QNAP 4.2.6 build 20171026, QTS 4.3.3 build 20170727 y anteriores, permite que atacantes remotos inyecten scripts web o HTML arbitrarios. • https://www.qnap.com/zh-tw/security-advisory/nas-201803-23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7634
https://notcve.org/view.php?id=CVE-2017-7634
08 Mar 2018 — Cross-site scripting (XSS) vulnerability in QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier allows remote attackers to inject arbitrary web script or HTML. The injected code will only be triggered by a crafted link, not the normal page. Vulnerabilidad Cross-Site Scripting (XSS) en el add-on Media Streaming de la aplicación NAS de QNAP, en versiones 421.1.0.2, 430.1.2.0 y anteriores, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios. El código iny... • https://www.qnap.com/zh-tw/security-advisory/nas-201803-08 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7638
https://notcve.org/view.php?id=CVE-2017-7638
08 Mar 2018 — QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not authenticate requests properly. Successful exploitation could lead to change of the Media Streaming settings, and leakage of sensitive information of the QNAP NAS. El add-on Media Streaming de la aplicación NAS de QNAP en versiones 421.1.0.2, 430.1.2.0 y anteriores no autentica las peticiones correctamente. Su explotación exitosa podría provocar que se cambie la configuración de Media Streaming y que se fugue info... • https://www.qnap.com/zh-tw/security-advisory/nas-201803-08 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 2%CPEs: 4EXPL: 0CVE-2017-7640
https://notcve.org/view.php?id=CVE-2017-7640
08 Mar 2018 — QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier allows remote attackers to run arbitrary OS commands against the system with root privileges. El add-on Media Streaming de la aplicación NAS de QNAP en versiones 421.1.0.2, 430.1.2.0 y anteriores permite que los atacantes remotos ejecuten comandos arbitrarios del sistema operativo contra el sistema con privilegios root. • https://www.qnap.com/zh-tw/security-advisory/nas-201803-08 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-7641
https://notcve.org/view.php?id=CVE-2017-7641
08 Mar 2018 — QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2.0, and earlier does not utilize CSRF protections. El add-on Media Streaming de la aplicación NAS de QNAP en versiones 421.1.0.2, 430.1.2.0 y anteriores no utiliza medidas de seguridad contra CSRF. • https://www.qnap.com/zh-tw/security-advisory/nas-201803-08 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 3%CPEs: 6EXPL: 0CVE-2017-17027 – QNAP QTS NASFTPD USER Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-17027
20 Dec 2017 — A buffer overflow vulnerability in FTP service in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier could allow remote attackers to execute arbitrary code on NAS devices. Una vulnerabilidad de desbordamiento de búfer en el servicio FTP de QNAP QTS, en sus versiones 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 y anteriores podría permitir que atacantes remotos ejecuten código arbitrario en dispositivos NAS. ... • http://www.securitytracker.com/id/1040018 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •