Multiple patches were released by the Taiwan-based network-attached storage (NAS).
In this way, they addressed the vulnerabilities that could enable attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.
What Vulnerabilities Were Fixed?
Three high-severity stored cross-site scripting (xss) vulnerabilities (listed as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) that impact devices running unpatched Photo Station software were addressed today by QNAP (releases before 5.4.10, 5.7.13, or 6.0.18).
A stored XSS Image2PDF issue was also addressed by QNAP, which affected machines running software versions prior to Image2PDF 2.1.5.
Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.
Successful attacks using the CVE-2021-34352 issue might result in NAS devices being completely taken over.
Three more QVR vulnerabilities were also addressed on Monday, according to a security warning issued by QNAP and categorized as critical severity.
What Is an XSS attack?