Ivan Huertas

**Name of the Vulnerable Software and Affected Versions** QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier **Description** Exposure of private information could allow authenticated users to access sensitive information. **Recommendations** For QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier, update to a version later than 1.7.1063 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier **Description** A command injection issue in the networking component of QNAP Q'center Virtual Appliance could allow authenticated users to execute arbitrary commands. **Recommendations** For QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier, update to a version later than 1.7.1063 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier **Description** A command injection issue exists in the change password functionality, allowing authenticated users to execute arbitrary commands. **Recommendations** For QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier, update to a version later than 1.7.1063 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier **Description** A command injection issue allows authenticated users to execute arbitrary commands. **Recommendations** For QNAP Q'center Virtual Appliance versions 1.7.1063 and earlier, update to a version later than 1.7.1063 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon versions 7.1.1.11 Dell EMC Isilon versions 7.2.1.x Dell EMC Isilon versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon versions 8.1.0.0 through 8.1.0.1 **Description** The issue is a cross-site scripting vulnerability in the Antivirus Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. **Recommendations** For version 7.1.1.11, update to a version that is not affected by this issue. For versions 7.2.1.x, update to a version that is not affected by this issue. For versions 8.0.0.0 through 8.0.0.6, update to a version that is not affected by this issue. For versions 8.0.1.0 through 8.0.1.2, update to a version that is not affected by this issue. For versions 8.1.0.0 through 8.1.0.1, update to a version that is not affected by this issue. As a temporary workaround, consider restricting access to the Antivirus Page within the OneFS web administration interface until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon OneFS versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon OneFS versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon OneFS versions 8.1.0.0 through 8.1.0.1 **Description** The issue allows the compadmin to run the tcpdump binary with root privileges. This could potentially be used to execute arbitrary code with root privileges. **Recommendations** For versions 8.0.0.0 through 8.0.0.6, consider restricting the use of the tcpdump binary to prevent potential exploitation. For versions 8.0.1.0 through 8.0.1.2, consider restricting the use of the tcpdump binary to prevent potential exploitation. For versions 8.1.0.0 through 8.1.0.1, consider restricting the use of the tcpdump binary to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon OneFS versions 7.1.1.11 Dell EMC Isilon OneFS versions 7.2.1.x Dell EMC Isilon OneFS versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon OneFS versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon OneFS versions 8.1.0.0 through 8.1.0.1 **Description** A path traversal vulnerability exists in the isi phone home tool, potentially allowing a malicious compadmin to execute arbitrary code with root privileges. **Recommendations** For version 7.1.1.11, update to a version that fixes the path traversal vulnerability in the isi phone home tool. For versions 7.2.1.x, update to a version that fixes the path traversal vulnerability in the isi phone home tool. For versions 8.0.0.0 through 8.0.0.6, update to a version that fixes the path traversal vulnerability in the isi phone home tool. For versions 8.0.1.0 through 8.0.1.2, update to a version that fixes the path traversal vulnerability in the isi phone home tool. For versions 8.1.0.0 through 8.1.0.1, update to a version that fixes the path traversal vulnerability in the isi phone home tool.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon OneFS versions 7.1.1.11 Dell EMC Isilon OneFS versions 7.2.1.x Dell EMC Isilon OneFS versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon OneFS versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon OneFS versions 8.1.0.0 through 8.1.0.1 **Description** The issue is a cross-site request forgery vulnerability that could allow a malicious user to send unauthorized requests to the server on behalf of authenticated users of the application. **Recommendations** For version 7.1.1.11, update to a version that is not affected by this issue. For versions 7.2.1.x, update to a version that is not affected by this issue. For versions 8.0.0.0 through 8.0.0.6, update to a version that is not affected by this issue. For versions 8.0.1.0 through 8.0.1.2, update to a version that is not affected by this issue. For versions 8.1.0.0 through 8.1.0.1, update to a version that is not affected by this issue.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon versions 8.1.0.0 through 8.1.0.1 Dell EMC Isilon versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon version 7.1.1.11 **Description** The issue is related to a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. This could allow a malicious administrator to inject arbitrary HTML or JavaScript code into a user's browser session in the context of the OneFS website. **Recommendations** For versions 8.1.0.0 through 8.1.0.1, update to a version outside of this range to resolve the issue. For versions 8.0.1.0 through 8.0.1.2, update to a version outside of this range to resolve the issue. For versions 8.0.0.0 through 8.0.0.6, update to a version outside of this range to resolve the issue. For version 7.1.1.11, update to a version newer than 7.1.1.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon versions 8.1.0.0 through 8.1.0.1 Dell EMC Isilon versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon versions 7.2.1.x Dell EMC Isilon version 7.1.1.11 **Description** The issue is related to a cross-site scripting vulnerability in the Cluster description of the OneFS web administration interface. This could allow a malicious administrator to inject arbitrary HTML or JavaScript code into a user's browser session in the context of the OneFS website. **Recommendations** For versions 8.1.0.0 through 8.1.0.1, update to a version outside of this range to resolve the issue. For versions 8.0.1.0 through 8.0.1.2, update to a version outside of this range to resolve the issue. For versions 8.0.0.0 through 8.0.0.6, update to a version outside of this range to resolve the issue. For versions 7.2.1.x, update to a version outside of this range to resolve the issue. For version 7.1.1.11, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the OneFS web administration interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon versions 8.1.0.0 through 8.1.0.1 **Description** The issue is related to a cross-site scripting vulnerability in the Network Configuration page within the OneFS web administration interface. This could allow a malicious administrator to inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. **Recommendations** For versions 8.0.0.0 through 8.0.0.6, update to a version outside of the affected range to resolve the issue. For versions 8.0.1.0 through 8.0.1.2, update to a version outside of the affected range to resolve the issue. For versions 8.1.0.0 through 8.1.0.1, update to a version outside of the affected range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Isilon versions 7.2.1.x Dell EMC Isilon versions 8.0.0.0 through 8.0.0.6 Dell EMC Isilon versions 8.0.1.0 through 8.0.1.2 Dell EMC Isilon versions 8.1.0.0 through 8.1.0.1 **Description** The issue is related to a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface. This could allow a malicious administrator to inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website. **Recommendations** For versions 7.2.1.x, update to a version that is not affected by this issue. For versions 8.0.0.0 through 8.0.0.6, update to a version that is not affected by this issue. For versions 8.0.1.0 through 8.0.1.2, update to a version that is not affected by this issue. For versions 8.1.0.0 through 8.1.0.1, update to a version that is not affected by this issue.

**Name of the Vulnerable Software and Affected Versions** Lenovo SHAREit versions prior to 3.2.0 for Windows Lenovo SHAREit versions prior to 3.5.48 ww for Android **Description** The issue allows remote attackers to obtain sensitive information or conduct man-in-the-middle attacks. This is possible because files are transferred in cleartext, making it easier for attackers to intercept data by sniffing the network or via unspecified vectors. **Recommendations** For Windows versions prior to 3.2.0, update to version 3.2.0 or later to resolve the issue. For Android versions prior to 3.5.48 ww, update to version 3.5.48 ww or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Lenovo SHAREit versions prior to 3.5.48 ww **Description** The issue concerns the Wifi hotspot feature in Lenovo SHAREit, which does not require a password when configured to receive files. This makes it easier for remote attackers to gain access by being within the WLAN coverage area. **Recommendations** For versions prior to 3.5.48 ww, update to version 3.5.48 ww or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Lenovo SHAREit versions prior to 3.2.0 **Description** The issue concerns a hardcoded password in the Wifi hotspot feature of Lenovo SHAREit. When configured to receive files, the hardcoded password `12345678` can be exploited by remote attackers within the WLAN coverage area to gain access. **Recommendations** For versions prior to 3.2.0, update to version 3.2.0 or later to resolve the issue. As a temporary workaround, consider disabling the Wifi hotspot feature when not in use to minimize the risk of exploitation. Restrict access to the device's WLAN to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Lenovo SHAREit versions prior to 3.2.0 **Description** The issue allows remote attackers to obtain sensitive file names via a crafted file request to the "/list" API endpoint. **Recommendations** For versions prior to 3.2.0, update to version 3.2.0 or later to resolve the issue.