Quts Hero
CVE-2020-2496
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later
AnalysisAI
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later Affected products include: Qnap Quts Hero, Qnap Qts.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. Rated high sever
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated critical
Symlink following vulnerability in multiple QNAP NAS operating system versions allows remote attackers to exploit link r
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. Rated criti
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated critical
A command injection vulnerabilities have been reported to affect QTS and QuTS hero. Rated critical severity (CVSS 9.8),
A command injection vulnerabilities have been reported to affect QTS and QuTS hero. Rated critical severity (CVSS 9.8),
High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250
Command injection vulnerability affecting QNAP NAS operating systems (QTS and QuTS hero) that allows authenticated remot
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated high sev
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system ver
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system ver
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today