Stored cross-site scripting vulnerability in QES
CVE-2020-2503

9CRITICAL

Key Information:

Vendor: QNAP
Status: Qes
Vendor: CVE Published:; 23 December 2020

Summary

If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

Affected Version(s)

QES build 20201006 < 2.1.1

References

https://www.qnap.com/zh-tw/security-advisory/qsa-20-17

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 23, 2020
Vulnerability Reserved
Dec 9, 2019

Credit

TIM Security Red Team Research