安全ID : QSA-20-17
Multiple Vulnerabilities in QES
发布日期 : December 23, 2020
通用漏洞披露 : CVE-2020-2503 | CVE-2020-2504 | CVE-2020-2505
受影响产品: QNAP NAS running QES
严重程度
Important
状态
已解决
Summary
Three vulnerabilities have been reported to affect earlier versions of QES.
- CVE-2020-2503: If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station.
- CVE-2020-2504: If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station.
- CVE-2020-2505: If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages.
QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.
Recommendation
To fix these vulnerabilities, we recommend updating QES to the latest version.
Installing the QES Update
- Log on to QES as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QES downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
致谢: TIM Security Red Team Research
修订历史: V1.0 (December 23, 2020) - Published
