Multiple Vulnerabilities in Helpdesk

Summary

Three vulnerabilities have been reported to affect earlier versions of Helpdesk. 

• CVE-2018-19946: If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client.
• CVE-2018-19947: If exploited, this information exposure vulnerability could disclose sensitive information.
• CVE-2018-19948: If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application.

QNAP has already fixed these issues in the following software versions.

• All QTS versions: Helpdesk 3.0.3 and later

Recommendation

To fix these vulnerabilities, we recommend updating Helpdesk to the latest versions.

Updating Helpdesk

1. Log on to QTS as administrator.
2. Open the App Center, and then click .
   A search box appears.
3. Type “Helpdesk”, and then press ENTER.
   The Helpdesk application appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if you are using the latest version.
5. Click OK.
   The application is updated.