Vulnerability Details : CVE-2020-2497
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-2497
- cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
- cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
- cpe:2.3:o:qnap:quts_hero:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-2497
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 45 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-2497
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2020-2497
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@qnapsecurity.com.tw (Secondary)
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Assigned by: security@qnapsecurity.com.tw (Secondary)
References for CVE-2020-2497
-
https://www.qnap.com/en/security-advisory/qsa-20-12
Vendor Advisory
Jump to