Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-2498

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in certificate configuration. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later

Published

2020-12-10T04:15:12.047

Last Modified

2024-11-21T05:25:21.087

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
CWE-80
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	qnap	quts_hero	< h4.5.1.1472	Yes
Application	qnap	qts	< 4.5.1.1456	Yes
Operating System	qnap	qts	< 4.4.3.1354	Yes
Operating System	qnap	qts	< 4.3.6.1333	Yes
Operating System	qnap	qts	< 4.3.4.1368	Yes
Operating System	qnap	qts	< 4.3.3.1315	Yes
Operating System	qnap	qts	< 4.2.6	Yes

References

https://www.qnap.com/en/security-advisory/qsa-20-12 Vendor Advisory ([email protected])
https://www.qnap.com/en/security-advisory/qsa-20-12 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)