← back
CVE-2018-19953

CVE-2018-19953

CVSS 6.1 MEDIUMEPSS 23.9%● KEVCWE-79CWE-80
In short

This is a cross-site scripting (XSS) vulnerability in QNAP QTS that allows attackers to inject malicious code into the system. If exploited, it could compromise user sessions or steal sensitive data.

Technical detail

A reflected or stored XSS vulnerability (CWE-79, CWE-80) in QNAP QTS enables remote attackers to inject arbitrary JavaScript code that executes in the context of authenticated users or administrators. The vulnerability affects multiple QTS versions prior to specified patched builds and requires user interaction or privileged access to exploit.

Summary generated and translated by AI from the official description.
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
QNAP Systems Inc. · QTS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19953https://www.qnap.com/zh-tw/security-advisory/qsa-20-01