CVE-2021-28807 : A post-authentication reflected XSS vulnerability has been reported to affect QN

A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already fixed this vulnerability in the following versions of Q’center: QTS 4.5.3: Q’center v1.12.1012 and later QTS 4.3.6: Q’center v1.10.1004 and later QTS 4.3.3: Q’center v1.10.1004 and later QuTS hero h4.5.2: Q’center v1.12.1012 and later QuTScloud c4.5.4: Q’center v1.12.1012 and later

Published 2021-06-03 03:15:09

Updated 2021-09-14 14:30:13

Source QNAP Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2021-28807

Qnap » Q'center
Versions before (<) 1.12.1012
cpe:2.3:a:qnap:q\'center:*:*:*:*:*:*:*:*
Matching versions
When used together with: Qnap » QTS » Version: 4.5.3
Qnap » Q'center
Versions before (<) 1.10.1004
cpe:2.3:a:qnap:q\'center:*:*:*:*:*:*:*:*
Matching versions
When used together with: Qnap » QTS » Version: 4.3.3

Exploit prediction scoring system (EPSS) score for CVE-2021-28807

EPSS FAQ

0.92%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 74 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-28807

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N	6.8	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	3.1	4.0	QNAP Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-28807

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: security@qnapsecurity.com.tw (Primary)

References for CVE-2021-28807

https://www.qnap.com/zh-tw/security-advisory/qsa-21-20

Post-Authentication Reflected XSS Vulnerability in Q'center - Security Advisory | QNAP
Vendor Advisory
https://www.shielder.it/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg/

Shielder - QNAP Q'center Post-Auth Remote Code Execution via QPKG
Exploit;Third Party Advisory
https://www.shielder.it/advisories/qnap-qcenter-virtual-stored-xss/

Shielder - QNAP Q'center Virtual Appliance < 1.12.1014 Stored XSS
Exploit;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-28807

Products affected by CVE-2021-28807

Exploit prediction scoring system (EPSS) score for CVE-2021-28807

CVSS scores for CVE-2021-28807

CWE ids for CVE-2021-28807

References for CVE-2021-28807