Security Advisory for Stored XSS Vulnerability in QTS Event Notification

Summary

A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console.

We have already fixed this issue in the following QTS versions.

• QTS 4.4.1: build 20190918 and later
• QTS 4.3.6: build 20190919 and later
• QTS 4.3.4: build 20190921 and later
• QTS 4.3.3: build 20190921 and later
• QTS 4.2.6: build 20190921 and later

Recommendation

To fix this vulnerability, we recommend updating QTS to the latest version.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.