Skip to main content

Quts Hero CVE-2020-2497

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-12-10 security@qnapsecurity.com.tw
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 10, 2020 - 04:15 nvd
MEDIUM 6.1

DescriptionNVD

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later

AnalysisAI

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in System Connection Logs. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later Affected products include: Qnap Quts Hero, Qnap Qts.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-39296 HIGH POC
7.5 Jan 05

A prototype pollution vulnerability has been reported to affect several QNAP operating system versions. Rated high sever

CVE-2024-32766 CRITICAL
10.0 Apr 26

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated critical

CVE-2025-66277 CRITICAL
9.8 Feb 11

Symlink following vulnerability in multiple QNAP NAS operating system versions allows remote attackers to exploit link r

CVE-2024-21899 CRITICAL POC
9.8 Mar 08

An improper authentication vulnerability has been reported to affect several QNAP operating system versions. Rated criti

CVE-2023-23368 CRITICAL
9.8 Nov 03

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated critical

CVE-2021-28804 CRITICAL
9.8 Jul 01

A command injection vulnerabilities have been reported to affect QTS and QuTS hero. Rated critical severity (CVSS 9.8),

CVE-2021-28802 CRITICAL
9.8 Jul 01

A command injection vulnerabilities have been reported to affect QTS and QuTS hero. Rated critical severity (CVSS 9.8),

CVE-2025-66276 CRITICAL
9.2 Jun 10

High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250

CVE-2025-22481 HIGH
8.8 Jun 06

Command injection vulnerability affecting QNAP NAS operating systems (QTS and QuTS hero) that allows authenticated remot

CVE-2024-21898 HIGH
8.8 Sep 06

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated high sev

CVE-2024-27130 HIGH
8.8 May 21

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system ver

CVE-2024-27129 HIGH
8.8 May 21

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system ver

Share

CVE-2020-2497 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy