Tony Martin

**Name of the Vulnerable Software and Affected Versions** QNAP Proxy Server versions prior to 1.4.2 QNAP Proxy Server versions prior to 1.4.3 in QuTS hero h5.0.0 QNAP Proxy Server versions prior to 1.4.2 in QuTScloud c4.5.6 **Description** A cross-site request forgery (CSRF) vulnerability has been reported to affect QNAP devices running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. **Recommendations** For QTS 4.5.x, update Proxy Server to version 1.4.2 or later. For QuTS hero h5.0.0, update Proxy Server to version 1.4.3 or later. For QuTScloud c4.5.6, update Proxy Server to version 1.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** QNAP Proxy Server versions prior to 1.4.2 **Description** A cross-site scripting (XSS) vulnerability has been reported to affect QNAP devices running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. **Recommendations** For QNAP Proxy Server versions prior to 1.4.2, update to Proxy Server 1.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Proxy Server until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** QNAP Proxy Server versions prior to 1.4.2 **Description** A cross-site scripting (XSS) vulnerability has been reported to affect QNAP devices running Proxy Server. If exploited, this vulnerability allows remote attackers to inject malicious code. **Recommendations** For QNAP Proxy Server versions prior to 1.4.2, update to Proxy Server 1.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Proxy Server until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** QNAP QcalAgent versions prior to 1.1.7 **Description** An open redirect issue has been reported, allowing attackers to redirect users to untrusted pages containing malware. **Recommendations** For QNAP QcalAgent versions prior to 1.1.7, update to QcalAgent 1.1.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP QcalAgent versions prior to 1.1.7 **Description** A cross-site scripting (XSS) issue has been reported, allowing remote attackers to inject malicious code. **Recommendations** For versions prior to 1.1.7, update to QcalAgent version 1.1.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 4.5.4.1787 build 20210910 QuTS hero versions prior to h4.5.4.1771 build 20210825 QuTScloud versions prior to c4.5.7.1864 **Description** A cross-site scripting (XSS) vulnerability has been reported to affect QTS, QuTS hero, and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. **Recommendations** For QTS versions prior to 4.5.4.1787 build 20210910, update to version 4.5.4.1787 build 20210910 or later. For QuTS hero versions prior to h4.5.4.1771 build 20210825, update to version h4.5.4.1771 build 20210825 or later. For QuTScloud versions prior to c4.5.7.1864, update to version c4.5.7.1864 or later.

Name of the Vulnerable Software and Affected Versions: QmailAgent versions prior to 3.0.2 Description: A fix for the issue has been implemented in QmailAgent version 3.0.2 and later. Recommendations: For versions prior to 3.0.2, update to version 3.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: QNAP QmailAgent versions prior to 3.0.2 Description: A cross-site scripting (XSS) issue has been reported, allowing remote attackers to inject malicious code. Recommendations: For QNAP QmailAgent versions prior to 3.0.2, update to QmailAgent 3.0.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Media Streaming add-on versions prior to 500.0.0.3 Media Streaming add-on versions prior to 430.1.8.12 Description: A command injection issue has been reported, allowing remote attackers to run arbitrary commands on QNAP devices running the Media Streaming add-on. Recommendations: For Media Streaming add-on versions prior to 500.0.0.3, update to version 500.0.0.3 or later. For Media Streaming add-on versions prior to 430.1.8.12, update to version 430.1.8.12 or later.

Name of the Vulnerable Software and Affected Versions: Photo Station versions prior to 5.4.10 Photo Station versions prior to 5.7.13 Photo Station versions prior to 6.0.18 Description: A cross-site scripting (XSS) issue has been reported, allowing remote attackers to inject malicious code. Recommendations: For Photo Station versions prior to 5.4.10, update to version 5.4.10 or later. For Photo Station versions prior to 5.7.13, update to version 5.7.13 or later. For Photo Station versions prior to 6.0.18, update to version 6.0.18 or later.

Name of the Vulnerable Software and Affected Versions: Photo Station versions prior to 6.0.18 Description: A cross-site scripting (XSS) issue has been reported, allowing remote attackers to inject malicious code. Recommendations: For versions prior to 6.0.18, update to Photo Station 6.0.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Image2PDF versions prior to 2.1.5 **Description** A cross-site scripting (XSS) issue has been reported, allowing remote attackers to inject malicious code. **Recommendations** For versions prior to 2.1.5, update to version 2.1.5 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Photo Station versions prior to 6.0.18 Description: A cross-site scripting (XSS) issue has been reported, allowing remote attackers to inject malicious code. Recommendations: For versions prior to 6.0.18, update to Photo Station 6.0.18 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP NAS application Proxy Server versions prior to 1.2.1 **Description** The issue is related to improper authentication of requests. Successful exploitation can lead to unauthorized changes in the settings of the Proxy Server. **Recommendations** For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Proxy Server settings until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** QNAP NAS application Proxy Server versions prior to 1.2.1 **Description** The issue allows remote attackers to run arbitrary OS commands against the system with root privileges. **Recommendations** For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP NAS application Proxy Server versions prior to 1.2.1 **Description** The issue is related to the lack of CSRF protections in the Proxy Server application. **Recommendations** For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions 4.2.6 build 20171026 and earlier, QTS 4.3.3 build 20170727 and earlier **Description** A cross-site scripting (XSS) issue exists in the File Station of QNAP QTS, allowing remote attackers to inject arbitrary web script or HTML. This can lead to the execution of malicious code on the victim's browser. **Recommendations** For QNAP QTS versions 4.2.6 build 20171026 and earlier, and QTS 4.3.3 build 20170727 and earlier, consider disabling the File Station feature until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** QNAP NAS application Media Streaming add-on versions 421.1.0.2, 430.1.2.0, and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML into the Media Streaming add-on. The injected code is triggered by a crafted link, rather than the normal page. **Recommendations** For QNAP NAS application Media Streaming add-on versions 421.1.0.2, 430.1.2.0, and earlier, update to a version later than 430.1.2.0 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QNAP Qfinder Pro versions 6.1.0.0317 and earlier **Description** The issue may expose sensitive information contained in NAS devices, potentially allowing attackers to further compromise the device. **Recommendations** For QNAP Qfinder Pro versions 6.1.0.0317 and earlier, update to a version later than 6.1.0.0317 to resolve the issue.