安全ID : NAS-201709-29

Security Advisory for SQL Injection in HelpDesk

发布日期 : September 29, 2017
通用漏洞披露 : CVE-2017-13068
受影响产品: QTS Helpdesk versions 1.1.12 and earlier

严重程度

严重

状态

已解决

Summary

Kacper Szurek, an independent security researcher, reported a vulnerability affecting QTS HelpDesk through Beyond Security’s SecuriTeam Secure Disclosure program. QNAP acknowledges Mr. Szurek’s discovery and appreciates his efforts.

QNAP has already patched this vulnerability. This security concern allows a remote attacker to perform an SQL injection on the application and obtain application information. A remote attacker does not require any privileges to successfully execute this attack.

This vulnerability is fixed in QTS Helpdesk 1.1.15.

Recommendations

To resolve the issue, you must update your QTS Helpdesk version to 1.1.15:

Upgrading to Helpdesk 1.1.15

Log on to QTS as administrator.
Open the App Center and then click the Search icon.
Type “Helpdesk” and then press ENTER.
The Helpdesk application appears in the search results list.
Click Update.
A confirmation message appears.
Click OK.
The application is updated.

修订历史: 2017-09-29