Jan Hoff

Name of the Vulnerable Software and Affected Versions: QNAP Systems Inc. QuLog Center versions prior to 1.2.0 Description: A stored XSS issue has been reported, allowing attackers to inject malicious code. Recommendations: For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107 QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217 Description: A command injection issue has been reported, allowing attackers to execute arbitrary commands in a compromised application. Recommendations: For QTS versions prior to 4.5.1.1540 build 20210107, update to version 4.5.1.1540 build 20210107 or later. For QuTS hero versions prior to h4.5.1.1582 build 20210217, update to version h4.5.1.1582 build 20210217 or later.

Name of the Vulnerable Software and Affected Versions: QNAP Systems Inc. Q'center versions prior to 1.11.1004 Description: This issue affects QNAP Systems Inc. Q'center. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. Recommendations: For QNAP Systems Inc. Q'center versions prior to 1.11.1004, update to version 1.11.1004 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: QNAP Systems Inc. QTS versions prior to 4.5.1.1540 build 20210107 QNAP Systems Inc. QuTS hero versions prior to h4.5.1.1582 build 20210217 Description: A command injection issue has been reported, allowing attackers to execute arbitrary commands in a compromised application. Recommendations: For QTS versions prior to 4.5.1.1540 build 20210107, update to version 4.5.1.1540 build 20210107 or later. For QuTS hero versions prior to h4.5.1.1582 build 20210217, update to version h4.5.1.1582 build 20210217 or later.

Name of the Vulnerable Software and Affected Versions: QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2S QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C QNAP Systems Inc. QSS versions prior to 1.0.12 build 20210506 on QSW-M408 Description: The inclusion of sensitive information in the source code has been reported, affecting certain QNAP switches running QSS. If exploited, this issue allows attackers to read application data. Recommendations: For QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2C, update to version 1.0.3 build 20210505 or later. For QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108-2S, update to version 1.0.3 build 20210505 or later. For QNAP Systems Inc. QSS versions prior to 1.0.3 build 20210505 on QSW-M2108R-2C, update to version 1.0.3 build 20210505 or later. For QNAP Systems Inc. QSS versions prior to 1.0.12 build 20210506 on QSW-M408, update to version 1.0.12 build 20210506 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 4.5.1.1456 build 20201015 QuTS hero versions prior to h4.5.1.1472 build 20201031 **Description** If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. **Recommendations** For QTS versions prior to 4.5.1.1456 build 20201015, update to QTS 4.5.1.1456 build 20201015 or later. For QuTS hero versions prior to h4.5.1.1472 build 20201031, update to QuTS hero h4.5.1.1472 build 20201031 or later. As a temporary workaround, consider restricting access to File Station until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions prior to 4.5.1.1456 build 20201015 QNAP QTS versions prior to 4.4.3.1354 build 20200702 QNAP QuTS hero versions prior to h4.5.1.1472 build 20201031 **Description** This command injection vulnerability allows attackers to execute arbitrary commands in a compromised application. **Recommendations** For QNAP QTS versions prior to 4.5.1.1456 build 20201015, update to QTS 4.5.1.1456 build 20201015 or later. For QNAP QTS versions prior to 4.4.3.1354 build 20200702, update to QTS 4.4.3.1354 build 20200702 or later. For QNAP QuTS hero versions prior to h4.5.1.1472 build 20201031, update to QuTS hero h4.5.1.1472 build 20201031 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 4.5.1.1456 build 20201015 QuTS hero versions prior to h4.5.1.1472 build 20201031 QTS versions prior to 4.4.3.1354 build 20200702 QTS versions prior to 4.3.6.1333 build 20200608 QTS versions prior to 4.3.4.1368 build 20200703 QTS versions prior to 4.3.3.1315 build 20200611 QTS versions prior to 4.2.6 build 20200611 **Description** This cross-site scripting issue could allow remote attackers to inject malicious code in certificate configuration. **Recommendations** For QTS versions prior to 4.5.1.1456 build 20201015, update to QTS 4.5.1.1456 build 20201015 or later. For QuTS hero versions prior to h4.5.1.1472 build 20201031, update to QuTS hero h4.5.1.1472 build 20201031 or later. For QTS versions prior to 4.4.3.1354 build 20200702, update to QTS 4.4.3.1354 build 20200702 or later. For QTS versions prior to 4.3.6.1333 build 20200608, update to QTS 4.3.6.1333 build 20200608 or later. For QTS versions prior to 4.3.4.1368 build 20200703, update to QTS 4.3.4.1368 build 20200703 or later. For QTS versions prior to 4.3.3.1315 build 20200611, update to QTS 4.3.3.1315 build 20200611 or later. For QTS versions prior to 4.2.6 build 20200611, update to QTS 4.2.6 build 20200611 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 4.5.1.1456 build 20201015 QuTS hero versions prior to h4.5.1.1472 build 20201031 QTS versions prior to 4.4.3.1354 build 20200702 QTS versions prior to 4.3.6.1333 build 20200608 QTS versions prior to 4.3.4.1368 build 20200703 QTS versions prior to 4.3.3.1315 build 20200611 QTS versions prior to 4.2.6 build 20200611 **Description** This cross-site scripting issue could allow remote attackers to inject malicious code in System Connection Logs. **Recommendations** For QTS versions prior to 4.5.1.1456 build 20201015, update to QTS 4.5.1.1456 build 20201015 or later. For QuTS hero versions prior to h4.5.1.1472 build 20201031, update to QuTS hero h4.5.1.1472 build 20201031 or later. For QTS versions prior to 4.4.3.1354 build 20200702, update to QTS 4.4.3.1354 build 20200702 or later. For QTS versions prior to 4.3.6.1333 build 20200608, update to QTS 4.3.6.1333 build 20200608 or later. For QTS versions prior to 4.3.4.1368 build 20200703, update to QTS 4.3.4.1368 build 20200703 or later. For QTS versions prior to 4.3.3.1315 build 20200611, update to QTS 4.3.3.1315 build 20200611 or later. For QTS versions prior to 4.2.6 build 20200611, update to QTS 4.2.6 build 20200611 or later.

**Name of the Vulnerable Software and Affected Versions** Photo Station versions prior to 5.2.11 Photo Station versions prior to 5.4.10 Photo Station versions prior to 5.7.12 Photo Station versions prior to 5.7.13 Photo Station versions prior to 6.0.12 **Description** This issue allows remote attackers to inject malicious code through a cross-site scripting vulnerability in Photo Station. **Recommendations** For Photo Station versions prior to 5.2.11, update to version 5.2.11 or later. For Photo Station versions prior to 5.4.10, update to version 5.4.10 or later. For Photo Station versions prior to 5.7.12, update to version 5.7.12 or later. For Photo Station versions prior to 5.7.13, update to version 5.7.13 or later. For Photo Station versions prior to 6.0.12, update to version 6.0.12 or later.

**Name of the Vulnerable Software and Affected Versions** Multimedia Console versions prior to 1.1.5 **Description** This issue allows remote attackers to inject malicious code through a cross-site scripting vulnerability in Multimedia Console. **Recommendations** For versions prior to 1.1.5, update to Multimedia Console 1.1.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Music Station versions prior to 5.3.12 Music Station versions prior to 5.3.13 **Description** This issue allows remote attackers to inject malicious code through a cross-site scripting vulnerability in Music Station. **Recommendations** For Music Station versions prior to 5.3.12, update to version 5.3.12 or later. For Music Station versions prior to 5.3.13, update to version 5.3.13 or later.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 4.5.1.1456 build 20201015 QuTS hero versions prior to h4.5.1.1472 build 20201031 QTS versions prior to 4.4.3.1354 build 20200702 QTS versions prior to 4.3.6.1333 build 20200608 QTS versions prior to 4.3.4.1368 build 20200703 QTS versions prior to 4.3.3.1315 build 20200611 QTS versions prior to 4.2.6 build 20200611 **Description** This cross-site scripting issue could allow remote attackers to inject malicious code in File Station. **Recommendations** For QTS versions prior to 4.5.1.1456 build 20201015, update to QTS 4.5.1.1456 build 20201015 or later. For QuTS hero versions prior to h4.5.1.1472 build 20201031, update to QuTS hero h4.5.1.1472 build 20201031 or later. For QTS versions prior to 4.4.3.1354 build 20200702, update to QTS 4.4.3.1354 build 20200702 or later. For QTS versions prior to 4.3.6.1333 build 20200608, update to QTS 4.3.6.1333 build 20200608 or later. For QTS versions prior to 4.3.4.1368 build 20200703, update to QTS 4.3.4.1368 build 20200703 or later. For QTS versions prior to 4.3.3.1315 build 20200611, update to QTS 4.3.3.1315 build 20200611 or later. For QTS versions prior to 4.2.6 build 20200611, update to QTS 4.2.6 build 20200611 or later.