JVNDB-2016-000119

[Japanese]
JVNDB-2016-000119
QNAP QTS vulnerable to cross-site scripting
Overview
QNAP QTS is an operating system for Turbo NAS. QNAP QTS contains a cross-site scripting vulnerability (CWE-79). Keigo YAMAZAKI of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 6.1 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality Impact: Low Integrity Impact: Low Availability Impact: None CVSS V2 Severity: Base Metrics 4.3 (Medium) [IPA Score] Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
Affected Products

QNAP Systems QNAP QTS versions prior to 4.2.0

Impact
An arbitrary script may be executed on the user's web browser.
Solution
[Update the Firmware] Update to the latest version of firmware according to the information provided by the developer.
Vendor Information
QNAP Systems QNAP Systems, Inc. : Security vulnerabilities addressed in QTS 4.2.1 Build 20160601
CWE (What is CWE?)
Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)
CVE-2015-5664
References
JVN : JVN#42930233 National Vulnerability Database (NVD) : CVE-2015-5664
Revision History
[2016/06/27] Web page was published [2016/08/03] References : Content was added

QNAP QTS vulnerable to cross-site scripting