安全ID : NAS-201811-29
Security Advisory for XSS Vulnerability in Qsync Central
发布日期 : November 29, 2018
通用漏洞披露 : CVE-2018-0716
受影响产品: QTS 4.2.6 build 20180711 and earlier versions
QTS 4.3.3: Qsync Central 3.0.2 and earlier versions
QTS 4.3.4: Qsync Central 3.0.3 and earlier versions
QTS 4.3.5: Qsync Central 3.0.4 and earlier versions
严重程度
Important
状态
已解决
Summary
A cross-site scripting vulnerability has been reported to affect Qsync Central. If successfully exploited, the vulnerability could allow remote attackers to inject Javascript code in the compromised application.
We have already fixed these issues in following versions.
- QTS 4.2.6: build 20180829 and later
- QTS 4.3.3: Qsync Central 3.0.2.01 and later
- QTS 4.3.4: Qsync Central 3.0.3.01 and later
- QTS 4.3.5: Qsync Central 3.0.4.01 and later
Recommendation
To resolve the issue, you must perform the following:
- QTS 4.2.6: Update QTS to the latest version.
- QTS 4.3.3, 4.3.4, and 4.3.5: Update Qsync Central to the latest version.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Updating Qsync Central
- Log on to QTS as administrator.
- Open the App Center, and then click the Search icon.
A search box appears. - Type “Qsync Central”, and then press ENTER.
The Qsync Central application appears in the search results list. - Click Update.
A confirmation message appears. - Click OK.
The application is updated.
致谢: Marcin Zieba, information security researcher and pentester
修订历史: V1.0 (November 29, 2018) - Published
