CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2021-28809 – Missing Authentication for Critical Function in RTRR Server in HBS3
https://notcve.org/view.php?id=CVE-2021-28809
An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later Se ha informado una vulnerabilidad de control de acceso inapropiado que afecta a determinadas versiones heredadas de HBS 3. Si es explotada, esta vulnerabilidad permite a atacantes comprometer la seguridad del sistema operativo.QNAP ya ha corregido esta vulnerabilidad en las siguientes versiones de HBS 3: QTS versiones 4.3.6: HBS 3 versiones v3.0.210507 y posteriores QTS versiones 4.3.4: HBS 3 versiones v3.0.210506 y posteriores This vulnerability allows remote attackers to execute arbitrary code on affected installations of QNAP NAS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the RTSS server, which listens on TCP port 8899 by default. The issue results from the lack of authentication prior to allowing alterations to the system configuration. • https://www.qnap.com/en/security-advisory/qsa-21-19 https://www.zerodayinitiative.com/advisories/ZDI-21-783 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function CWE-749: Exposed Dangerous Method or Function •
CVSS: 10.0EPSS: 88%CPEs: 11EXPL: 0CVE-2021-28799 – QNAP NAS Improper Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2021-28799
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . • https://www.qnap.com/en/security-advisory/QSA-21-13 • CWE-285: Improper Authorization •