Multiple Vulnerabilities in File Station

Summary

Three vulnerabilities have been reported to affect earlier versions of QTS.

• CVE-2018-19943: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code.
• CVE-2018-19949: If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands.
• CVE-2018-19953: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code.

QNAP has already fixed these issues in the following QTS versions.

• QTS 4.4.2.1270 build 20200410 and later
• QTS 4.4.1.1261 build 20200330 and later
• QTS 4.3.6.1263 build 20200330 and later
• QTS 4.3.4.1282 build 20200408 and later
• QTS 4.3.3.1252 build 20200409 and later
• QTS 4.2.6 build 20200421 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS to the latest versions.

Important:

Regardless of which version of QTS you currently use, QNAP strongly recommends updating your QTS to the latest available version for your NAS model to ensure that your device can benefit from vulnerability fixes. You can check the product support status of your NAS model.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.