Search criteria
37 vulnerabilities found for Helpdesk by Qnap
CERTFR-2025-AVI-0188
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | HBS 3 Hybrid Backup Sync | HBS 3 Hybrid Backup Sync versions 25.1.x antérieures à 25.1.4.952 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.1.9.2954 build 20241120 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x antérieures à 1.8.0.888 | ||
| Qnap | File Station | File Station versions 5.5.x antérieures à 5.5.6.4741 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.1.9.2954 build 20241120 | ||
| Qnap | Helpdesk | Helpdesk versions 3.3.x antérieurs à 3.3.3 | ||
| Qnap | QuRouter | QuRouter versions 2.4.x antérieures à 2.4.6.028 | ||
| Qnap | QVPN | QVPN Device Client versions 2.2.x antérieures à 2.2.5 pour Mac | ||
| Qnap | QTS | QTS versions 5.2.x antérieures à 5.2.3.3006 build 20250108 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2957 build 20241119 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2956 build 20241119 | ||
| Qnap | QuLog Center | QuLog Center versions 1.7.x antérieures à 1.7.0.829 | ||
| Qnap | Qsync | Qsync Client versions 5.1.x antérieures à 5.1.3 pour Mac | ||
| Qnap | QuTS hero | QuTS hero versions h5.2.x antérieures à h5.2.3.3006 build 20250108 | ||
| Qnap | Qfinder | Qfinder Pro Mac versions 7.11.x antérieures à 7.11.1 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "HBS 3 Hybrid Backup Sync versions 25.1.x ant\u00e9rieures \u00e0 25.1.4.952",
"product": {
"name": "HBS 3 Hybrid Backup Sync",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.1.9.2954 build 20241120",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x ant\u00e9rieures \u00e0 1.8.0.888",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "File Station versions 5.5.x ant\u00e9rieures \u00e0 5.5.6.4741",
"product": {
"name": "File Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.1.9.2954 build 20241120",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Helpdesk versions 3.3.x ant\u00e9rieurs \u00e0 3.3.3",
"product": {
"name": "Helpdesk",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuRouter versions 2.4.x ant\u00e9rieures \u00e0 2.4.6.028",
"product": {
"name": "QuRouter",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVPN Device Client versions 2.2.x ant\u00e9rieures \u00e0 2.2.5 pour Mac",
"product": {
"name": "QVPN",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.2.x ant\u00e9rieures \u00e0 5.2.3.3006 build 20250108",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2957 build 20241119",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2956 build 20241119",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.7.x ant\u00e9rieures \u00e0 1.7.0.829",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qsync Client versions 5.1.x ant\u00e9rieures \u00e0 5.1.3 pour Mac",
"product": {
"name": "Qsync",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.2.x ant\u00e9rieures \u00e0 h5.2.3.3006 build 20250108",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Qfinder Pro Mac versions 7.11.x ant\u00e9rieures \u00e0 7.11.1",
"product": {
"name": "Qfinder",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-53695",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53695"
},
{
"name": "CVE-2024-50390",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50390"
},
{
"name": "CVE-2024-53700",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53700"
},
{
"name": "CVE-2024-53696",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53696"
},
{
"name": "CVE-2024-53698",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53698"
},
{
"name": "CVE-2024-53693",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53693"
},
{
"name": "CVE-2024-53694",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53694"
},
{
"name": "CVE-2024-53697",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53697"
},
{
"name": "CVE-2024-48864",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48864"
},
{
"name": "CVE-2024-50394",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50394"
},
{
"name": "CVE-2024-13086",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13086"
},
{
"name": "CVE-2024-53699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53699"
},
{
"name": "CVE-2024-53692",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53692"
},
{
"name": "CVE-2024-50405",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50405"
},
{
"name": "CVE-2024-38638",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38638"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0188",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-03-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-03",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-03"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-55",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-55"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-52",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-52"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-06",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-06"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-53",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-53"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-07",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-07"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-05",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-05"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-25-01",
"url": "https://www.qnap.com/go/security-advisory/qsa-25-01"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-54",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-54"
},
{
"published_at": "2025-03-08",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-51",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-51"
}
]
}
CERTFR-2024-AVI-0752
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2790 build 20240606 | ||
| Qnap | QTS | QTS versions 4.3.4 antérieures à 4.3.4.2814 build 20240618 | ||
| Qnap | Download Station | Download Station versions 5.8.x antérieures à 5.8.6.283 | ||
| Qnap | QTS | QTS versions 4.3.3 antérieures à 4.3.3.2784 build 20240619 | ||
| Qnap | QuMagie | QuMagie versions 2.3.x antérieures à 2.3.1 | ||
| Qnap | QTS | QTS versions 4.2.6 antérieures à 4.2.6 build 20240618 | ||
| Qnap | QTS | QTS versions 4.3.6 antérieures à 4.3.6.2805 build 20240619 | ||
| Qnap | Helpdesk | Helpdesk versions 3.3.x antérieures à 3.3.1 | ||
| Qnap | Notes Station | Notes Station 3 versions 3.9.x antérieures à 3.9.6 | ||
| Qnap | QTS | QTS versions 5.1.x antérieures à 5.2.0.2782 build 20240601 | ||
| Qnap | QuTS hero | QuTS hero versions h4.5.x antérieures à h4.5.4.2626 build 20231225 | ||
| Qnap | QuTS hero | QuTS hero versions h5.1.x antérieures à h5.2.0.2782 build 20240601 | ||
| Qnap | Music Station | Music Station versions 5.4.x antérieures à 5.4.0 | ||
| Qnap | Video Station | Video Station versions 5.8.x antérieures à 5.8.2 | ||
| Qnap | QTS | QTS versions 4.5.x antérieures à 4.5.4.2790 build 20240605 | ||
| Qnap | QuLog Center | QuLog Center versions 1.7.x.x antérieures à 1.7.0.827 | ||
| Qnap | QuLog Center | QuLog Center versions 1.8.x.x antérieures à 1.8.0.872 | ||
| Qnap | QVR | QVR Smart Client versions 2.4.x.x antérieures à 2.4.0.0570 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2790 build 20240606",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.4 ant\u00e9rieures \u00e0 4.3.4.2814 build 20240618",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Download Station versions 5.8.x ant\u00e9rieures \u00e0 5.8.6.283",
"product": {
"name": "Download Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.3 ant\u00e9rieures \u00e0 4.3.3.2784 build 20240619",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuMagie versions 2.3.x ant\u00e9rieures \u00e0 2.3.1",
"product": {
"name": "QuMagie",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.2.6 ant\u00e9rieures \u00e0 4.2.6 build 20240618",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.3.6 ant\u00e9rieures \u00e0 4.3.6.2805 build 20240619",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Helpdesk versions 3.3.x ant\u00e9rieures \u00e0 3.3.1",
"product": {
"name": "Helpdesk",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Notes Station 3 versions 3.9.x ant\u00e9rieures \u00e0 3.9.6",
"product": {
"name": "Notes Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 5.1.x ant\u00e9rieures \u00e0 5.2.0.2782 build 20240601",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h4.5.x ant\u00e9rieures \u00e0 h4.5.4.2626 build 20231225",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuTS hero versions h5.1.x ant\u00e9rieures \u00e0 h5.2.0.2782 build 20240601",
"product": {
"name": "QuTS hero",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Music Station versions 5.4.x ant\u00e9rieures \u00e0 5.4.0",
"product": {
"name": "Music Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Video Station versions 5.8.x ant\u00e9rieures \u00e0 5.8.2",
"product": {
"name": "Video Station",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QTS versions 4.5.x ant\u00e9rieures \u00e0 4.5.4.2790 build 20240605",
"product": {
"name": "QTS",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.7.x.x ant\u00e9rieures \u00e0 1.7.0.827",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QuLog Center versions 1.8.x.x ant\u00e9rieures \u00e0 1.8.0.872",
"product": {
"name": "QuLog Center",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QVR Smart Client versions 2.4.x.x ant\u00e9rieures \u00e0 2.4.0.0570",
"product": {
"name": "QVR",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-27592",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27592"
},
{
"name": "CVE-2023-50360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50360"
},
{
"name": "CVE-2024-32762",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32762"
},
{
"name": "CVE-2024-21906",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21906"
},
{
"name": "CVE-2024-38640",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38640"
},
{
"name": "CVE-2024-53691",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53691"
},
{
"name": "CVE-2023-34974",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34974"
},
{
"name": "CVE-2024-27125",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27125"
},
{
"name": "CVE-2024-32763",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32763"
},
{
"name": "CVE-2024-27126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27126"
},
{
"name": "CVE-2023-47563",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47563"
},
{
"name": "CVE-2024-38641",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38641"
},
{
"name": "CVE-2024-38642",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38642"
},
{
"name": "CVE-2023-34979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34979"
},
{
"name": "CVE-2023-39298",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39298"
},
{
"name": "CVE-2023-39300",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39300"
},
{
"name": "CVE-2023-45038",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45038"
},
{
"name": "CVE-2024-32771",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-32771"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
},
{
"name": "CVE-2024-27122",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27122"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0752",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-09-09T00:00:00.000000"
},
{
"description": "Ajout de l\u0027identifiant CVE-2024-53691.",
"revision_date": "2025-01-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-24",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-24"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-26",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-26"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-34",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-34"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-30",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-30"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-21",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-21"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-27",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-27"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-29",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-29"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-28",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-28"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-32",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-32"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-25",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-25"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-33",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-33"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-22",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-22"
},
{
"published_at": "2024-09-07",
"title": "Bulletin de s\u00e9curit\u00e9 Qnap QSA-24-35",
"url": "https://www.qnap.com/go/security-advisory/qsa-24-35"
}
]
}
CERTFR-2021-AVI-459
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Qnap. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un problème de sécurité non spécifié par l'éditeur et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Qnap | N/A | QSW-M2108R-2C: QSS versions antérieures à 1.0.2 build 20210122 | ||
| Qnap | N/A | QSW-M2108-2C: QSS versions antérieures à 1.0.3 build 20210505 | ||
| Qnap | N/A | QSW-M2108-2S: QSS versions antérieures à 1.0.3 build 20210505 | ||
| Qnap | N/A | QSW-M2108-2C: QSS versions antérieures à 1.0.2 build 20210122 | ||
| Qnap | N/A | QSW-M2108-2S: QSS versions antérieures à 1.0.2 build 20210122 | ||
| Qnap | Helpdesk | Helpdesk versions antérieures à 3.0.4 | ||
| Qnap | N/A | Roon Server versions antérieures à 2021-05-18 | ||
| Qnap | N/A | QSW-M2108R-2C: QSS versions antérieures à 1.0.3 build 20210505 | ||
| Qnap | N/A | QSW-M408: QSS versions antérieures à 1.0.12 build 20210506 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "QSW-M2108R-2C: QSS versions ant\u00e9rieures \u00e0 1.0.2 build 20210122",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QSW-M2108-2C: QSS versions ant\u00e9rieures \u00e0 1.0.3 build 20210505",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QSW-M2108-2S: QSS versions ant\u00e9rieures \u00e0 1.0.3 build 20210505",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QSW-M2108-2C: QSS versions ant\u00e9rieures \u00e0 1.0.2 build 20210122",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QSW-M2108-2S: QSS versions ant\u00e9rieures \u00e0 1.0.2 build 20210122",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Helpdesk versions ant\u00e9rieures \u00e0 3.0.4",
"product": {
"name": "Helpdesk",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "Roon Server versions ant\u00e9rieures \u00e0 2021-05-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QSW-M2108R-2C: QSS versions ant\u00e9rieures \u00e0 1.0.3 build 20210505",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
},
{
"description": "QSW-M408: QSS versions ant\u00e9rieures \u00e0 1.0.12 build 20210506",
"product": {
"name": "N/A",
"vendor": {
"name": "Qnap",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-28805",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28805"
},
{
"name": "CVE-2021-28810",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28810"
},
{
"name": "CVE-2021-28801",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28801"
},
{
"name": "CVE-2021-28811",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28811"
}
],
"links": [],
"reference": "CERTFR-2021-AVI-459",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Qnap.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance,\u00a0un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par\nl\u0027\u00e9diteur et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Qnap",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-21-25 du 11 juin 2021",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-25"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-21-23 du 11 juin 2021",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-23"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-21-24 du 11 juin 2021",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-24"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Qnap qsa-21-17 du 14 mai 2021",
"url": "https://www.qnap.com/fr-fr/security-advisory/qsa-21-17"
}
]
}
FKIE_CVE-2024-27125
Vulnerability from fkie_nvd - Published: 2024-09-06 17:15 - Updated: 2024-09-13 21:06
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following version:
Helpdesk 3.3.1 and later
References
| URL | Tags | ||
|---|---|---|---|
| security@qnapsecurity.com.tw | https://www.qnap.com/en/security-advisory/qsa-24-29 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "337B1AD1-380B-4FFC-91E9-7CE5BF598C28",
"versionEndExcluding": "3.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following version:\nHelpdesk 3.3.1 and later"
},
{
"lang": "es",
"value": "Se ha informado de una vulnerabilidad de cross site scripting (XSS) que afecta a Helpdesk. Si se explota, la vulnerabilidad podr\u00eda permitir a los administradores autenticados inyectar c\u00f3digo malicioso a trav\u00e9s de una red. Ya hemos corregido la vulnerabilidad en la siguiente versi\u00f3n: Helpdesk 3.3.1 y posteriores"
}
],
"id": "CVE-2024-27125",
"lastModified": "2024-09-13T21:06:37.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-06T17:15:14.927",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-24-29"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Primary"
}
]
}
FKIE_CVE-2021-28814
Vulnerability from fkie_nvd - Published: 2021-06-11 07:15 - Updated: 2024-11-21 06:00
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "44688E7A-E038-492C-BAF9-5A2F25CD4B0A",
"versionEndExcluding": "3.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4."
},
{
"lang": "es",
"value": "Se ha reportado una vulnerabilidad de control de acceso inapropiado que afecta a QNAP NAS. Si es explotada, esta vulnerabilidad permite a atacantes remotos comprometer la seguridad del software. Este problema afecta: QNAP Systems Inc. versiones anteriores a 3.0.4"
}
],
"id": "CVE-2021-28814",
"lastModified": "2024-11-21T06:00:15.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-11T07:15:06.657",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-2506
Vulnerability from fkie_nvd - Published: 2021-02-03 16:15 - Updated: 2025-10-27 17:01
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
References
{
"cisaActionDue": "2022-04-15",
"cisaExploitAdd": "2022-03-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "QNAP Helpdesk Improper Access Control Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A920C2BE-51B6-4F9A-8394-E975A5409A12",
"versionEndExcluding": "3.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
},
{
"lang": "es",
"value": "La vulnerabilidad ha sido reportada para afectar a versiones anteriores de QTS. Si es explotada, esta vulnerabilidad de control de acceso inapropiado podr\u00eda permitir a atacantes obtener el control de un dispositivo QNAP. Este problema afecta a: QNAP Systems Inc. Helpdesk versiones anteriores a 3.0.3"
}
],
"id": "CVE-2020-2506",
"lastModified": "2025-10-27T17:01:20.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T16:15:13.807",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-2507
Vulnerability from fkie_nvd - Published: 2021-02-03 16:15 - Updated: 2024-11-21 05:25
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A920C2BE-51B6-4F9A-8394-E975A5409A12",
"versionEndExcluding": "3.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
},
{
"lang": "es",
"value": "La vulnerabilidad ha sido reportada para afectar a versiones anteriores de QTS. Si es explotada, esta vulnerabilidad de control de acceso inapropiado podr\u00eda permitir a atacantes obtener el control de un dispositivo QNAP. Este problema afecta a: QNAP Systems Inc. Helpdesk versiones anteriores a 3.0.3"
}
],
"id": "CVE-2020-2507",
"lastModified": "2024-11-21T05:25:22.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-03T16:15:13.930",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
},
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-19948
Vulnerability from fkie_nvd - Published: 2020-09-11 15:15 - Updated: 2024-11-21 03:58
Severity ?
2.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A920C2BE-51B6-4F9A-8394-E975A5409A12",
"versionEndExcluding": "3.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
},
{
"lang": "es",
"value": "Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk.\u0026#xa0;Si es explotada, esta vulnerabilidad de tipo cross-site request forgery (CSRF) podr\u00eda permitir a atacantes obligar a usuarios del NAS a ejecutar acciones involuntarias por medio de una aplicaci\u00f3n web.\u0026#xa0;QNAP ya corrigi\u00f3 el problema en Helpdesk versiones 3.0.3 y posteriores"
}
],
"id": "CVE-2018-19948",
"lastModified": "2024-11-21T03:58:52.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-11T15:15:10.993",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-19947
Vulnerability from fkie_nvd - Published: 2020-09-11 15:15 - Updated: 2024-11-21 03:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A920C2BE-51B6-4F9A-8394-E975A5409A12",
"versionEndExcluding": "3.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
},
{
"lang": "es",
"value": "Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk.\u0026#xa0;Si es explotada, esta vulnerabilidad de exposici\u00f3n de informaci\u00f3n podr\u00eda revelar informaci\u00f3n confidencial.\u0026#xa0;QNAP ya corrigi\u00f3 el problema en Helpdesk versiones 3.0.3 y posteriores"
}
],
"id": "CVE-2018-19947",
"lastModified": "2024-11-21T03:58:51.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-11T15:15:10.900",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-209"
},
{
"lang": "en",
"value": "CWE-210"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-19946
Vulnerability from fkie_nvd - Published: 2020-09-11 15:15 - Updated: 2024-11-21 03:58
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A920C2BE-51B6-4F9A-8394-E975A5409A12",
"versionEndExcluding": "3.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
},
{
"lang": "es",
"value": "Se ha reportado que la vulnerabilidad afecta a versiones anteriores de Helpdesk.\u0026#xa0;Si es explotada, esta vulnerabilidad de comprobaci\u00f3n de certificado inapropiada podr\u00eda permitir a un atacante falsificar una entidad confiable interfiriendo en la ruta de comunicaci\u00f3n entre el host y el cliente.\u0026#xa0;QNAP ya corrigi\u00f3 el problema en Helpdesk versiones 3.0.3 y posteriores"
}
],
"id": "CVE-2018-19946",
"lastModified": "2024-11-21T03:58:51.847",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-11T15:15:10.807",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
},
{
"lang": "en",
"value": "CWE-297"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-2500
Vulnerability from fkie_nvd - Published: 2020-07-01 16:15 - Updated: 2024-11-21 05:25
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CDD782D-3CC8-4828-A6D7-2F77FE6E7B11",
"versionEndExcluding": "3.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions."
},
{
"lang": "es",
"value": "Esta vulnerabilidad de control de acceso inadecuado en Helpdesk permite a atacantes obtener el control del servicio QNAP Kayako. Los atacantes pueden acceder a los datos confidenciales en el servidor QNAP Kayako con claves de la API. Hemos reemplazado la clave de la API para mitigar la vulnerabilidad y ya resolver el problema en Helpdesk versi\u00f3n 3.0.1 y versiones posteriores"
}
],
"id": "CVE-2020-2500",
"lastModified": "2024-11-21T05:25:21.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-01T16:15:13.073",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-03"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-321"
},
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-27125 (GCVE-0-2024-27125)
Vulnerability from cvelistv5 – Published: 2024-09-06 16:27 – Updated: 2024-09-06 17:33
VLAI?
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following version:
Helpdesk 3.3.1 and later
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
3.3.x , < 3.3.1
(custom)
|
Credits
Mehedi Hasan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T17:33:11.857589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T17:33:18.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.3.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehedi Hasan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eHelpdesk 3.3.1 and later\u003cbr\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following version:\nHelpdesk 3.3.1 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T16:27:17.757Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-29"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eHelpdesk 3.3.1 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following version:\nHelpdesk 3.3.1 and later"
}
],
"source": {
"advisory": "QSA-24-29",
"discovery": "EXTERNAL"
},
"title": "Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-27125",
"datePublished": "2024-09-06T16:27:17.757Z",
"dateReserved": "2024-02-20T09:36:58.212Z",
"dateUpdated": "2024-09-06T17:33:18.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28814 (GCVE-0-2021-28814)
Vulnerability from cvelistv5 – Published: 2021-06-11 06:35 – Updated: 2024-09-17 03:58
VLAI?
Summary
An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.4
(custom)
|
Credits
Thomas FADY
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thomas FADY"
}
],
"datePublic": "2021-06-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-11T06:35:15",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP has already fixed this issue in Helpdesk 3.0.4 and later versions."
}
],
"source": {
"advisory": "QSA-21-25",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control Vulnerability in Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-06-11T06:01:00.000Z",
"ID": "CVE-2021-28814",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control Vulnerability in Helpdesk"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thomas FADY"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP has already fixed this issue in Helpdesk 3.0.4 and later versions."
}
],
"source": {
"advisory": "QSA-21-25",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28814",
"datePublished": "2021-06-11T06:35:15.709685Z",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-09-17T03:58:40.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2506 (GCVE-0-2020-2506)
Vulnerability from cvelistv5 – Published: 2021-02-03 15:51 – Updated: 2025-10-21 23:35
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
Severity ?
7.3 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Jose Antonio Pérez Piedra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2506",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T20:39:53.308780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:29.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00+00:00",
"value": "CVE-2020-2506 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"datePublic": "2020-10-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-11T14:27:37.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
},
"title": "improper access control vulnerability in Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2020-10-07T03:07:00.000Z",
"ID": "CVE-2020-2506",
"STATE": "PUBLIC",
"TITLE": "improper access control vulnerability in Helpdesk"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-2506",
"datePublished": "2021-02-03T15:51:38.031Z",
"dateReserved": "2019-12-09T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:29.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2507 (GCVE-0-2020-2507)
Vulnerability from cvelistv5 – Published: 2021-02-03 15:51 – Updated: 2024-09-16 19:40
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Jose Antonio Pérez Piedra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"datePublic": "2020-10-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-11T14:27:54",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
},
"title": "command injection vulnerability in Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2020-10-07T03:07:00.000Z",
"ID": "CVE-2020-2507",
"STATE": "PUBLIC",
"TITLE": "command injection vulnerability in Helpdesk"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-2507",
"datePublished": "2021-02-03T15:51:16.772551Z",
"dateReserved": "2019-12-09T00:00:00",
"dateUpdated": "2024-09-16T19:40:15.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19946 (GCVE-0-2018-19946)
Vulnerability from cvelistv5 – Published: 2020-09-11 14:14 – Updated: 2024-08-05 11:51
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity ?
4.2 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-11T14:14:45",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2018-19946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-297 Improper Validation of Certificate with Host Mismatch"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19946",
"datePublished": "2020-09-11T14:14:45",
"dateReserved": "2018-12-07T00:00:00",
"dateUpdated": "2024-08-05T11:51:17.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19947 (GCVE-0-2018-19947)
Vulnerability from cvelistv5 – Published: 2020-09-11 14:14 – Updated: 2024-08-05 11:51
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Information Exposure Through an Error Message",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-210",
"description": "CWE-210 Information Exposure Through Self-generated Error Message",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-11T14:14:21",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2018-19947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Information Exposure Through an Error Message"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-210 Information Exposure Through Self-generated Error Message"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19947",
"datePublished": "2020-09-11T14:14:21",
"dateReserved": "2018-12-07T00:00:00",
"dateUpdated": "2024-08-05T11:51:17.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19948 (GCVE-0-2018-19948)
Vulnerability from cvelistv5 – Published: 2020-09-11 14:12 – Updated: 2024-08-05 11:51
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-11T14:12:56",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2018-19948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19948",
"datePublished": "2020-09-11T14:12:56",
"dateReserved": "2018-12-07T00:00:00",
"dateUpdated": "2024-08-05T11:51:17.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2500 (GCVE-0-2020-2500)
Vulnerability from cvelistv5 – Published: 2020-07-01 15:53 – Updated: 2024-08-04 07:09
VLAI?
Summary
This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.1
(custom)
|
Credits
Yoni Ramon, security researcher
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Yoni Ramon, security researcher"
}
],
"descriptions": [
{
"lang": "en",
"value": "This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-01T15:53:50",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-03"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2020-2500",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.1"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Yoni Ramon, security researcher"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This improper access control vulnerability in Helpdesk allows attackers to get control of QNAP Kayako service. Attackers can access the sensitive data on QNAP Kayako server with API keys. We have replaced the API key to mitigate the vulnerability, and already fixed the issue in Helpdesk 3.0.1 and later versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-321 Use of Hard-coded Cryptographic Key"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-03",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-03"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-2500",
"datePublished": "2020-07-01T15:53:50",
"dateReserved": "2019-12-09T00:00:00",
"dateUpdated": "2024-08-04T07:09:54.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27125 (GCVE-0-2024-27125)
Vulnerability from nvd – Published: 2024-09-06 16:27 – Updated: 2024-09-06 17:33
VLAI?
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following version:
Helpdesk 3.3.1 and later
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
3.3.x , < 3.3.1
(custom)
|
Credits
Mehedi Hasan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T17:33:11.857589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T17:33:18.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.3.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehedi Hasan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eHelpdesk 3.3.1 and later\u003cbr\u003e"
}
],
"value": "A cross-site scripting (XSS) vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.\n\nWe have already fixed the vulnerability in the following version:\nHelpdesk 3.3.1 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T16:27:17.757Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-24-29"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eHelpdesk 3.3.1 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following version:\nHelpdesk 3.3.1 and later"
}
],
"source": {
"advisory": "QSA-24-29",
"discovery": "EXTERNAL"
},
"title": "Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2024-27125",
"datePublished": "2024-09-06T16:27:17.757Z",
"dateReserved": "2024-02-20T09:36:58.212Z",
"dateUpdated": "2024-09-06T17:33:18.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28814 (GCVE-0-2021-28814)
Vulnerability from nvd – Published: 2021-06-11 06:35 – Updated: 2024-09-17 03:58
VLAI?
Summary
An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.4
(custom)
|
Credits
Thomas FADY
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:11.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thomas FADY"
}
],
"datePublic": "2021-06-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-11T06:35:15",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP has already fixed this issue in Helpdesk 3.0.4 and later versions."
}
],
"source": {
"advisory": "QSA-21-25",
"discovery": "EXTERNAL"
},
"title": "Improper Access Control Vulnerability in Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2021-06-11T06:01:00.000Z",
"ID": "CVE-2021-28814",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control Vulnerability in Helpdesk"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.4"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thomas FADY"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.4."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-269 Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-25"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP has already fixed this issue in Helpdesk 3.0.4 and later versions."
}
],
"source": {
"advisory": "QSA-21-25",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2021-28814",
"datePublished": "2021-06-11T06:35:15.709685Z",
"dateReserved": "2021-03-18T00:00:00",
"dateUpdated": "2024-09-17T03:58:40.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2506 (GCVE-0-2020-2506)
Vulnerability from nvd – Published: 2021-02-03 15:51 – Updated: 2025-10-21 23:35
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
Severity ?
7.3 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Jose Antonio Pérez Piedra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2506",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T20:39:53.308780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:29.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2506"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-25T00:00:00+00:00",
"value": "CVE-2020-2506 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"datePublic": "2020-10-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-11T14:27:37.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
},
"title": "improper access control vulnerability in Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2020-10-07T03:07:00.000Z",
"ID": "CVE-2020-2506",
"STATE": "PUBLIC",
"TITLE": "improper access control vulnerability in Helpdesk"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-2506",
"datePublished": "2021-02-03T15:51:38.031Z",
"dateReserved": "2019-12-09T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:29.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-2507 (GCVE-0-2020-2507)
Vulnerability from nvd – Published: 2021-02-03 15:51 – Updated: 2024-09-16 19:40
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.
Severity ?
9.8 (Critical)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Jose Antonio Pérez Piedra
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:09:54.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"datePublic": "2020-10-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-11T14:27:54",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
},
"title": "command injection vulnerability in Helpdesk",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2020-10-07T03:07:00.000Z",
"ID": "CVE-2020-2507",
"STATE": "PUBLIC",
"TITLE": "command injection vulnerability in Helpdesk"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jose Antonio P\u00e9rez Piedra"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-08"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP has already fixed these issues in Helpdesk 3.0.3 and later versions."
}
],
"source": {
"advisory": "QSA-20-08",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2020-2507",
"datePublished": "2021-02-03T15:51:16.772551Z",
"dateReserved": "2019-12-09T00:00:00",
"dateUpdated": "2024-09-16T19:40:15.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19946 (GCVE-0-2018-19946)
Vulnerability from nvd – Published: 2020-09-11 14:14 – Updated: 2024-08-05 11:51
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity ?
4.2 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.920Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-11T14:14:45",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2018-19946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this improper certificate validation vulnerability could allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-297 Improper Validation of Certificate with Host Mismatch"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19946",
"datePublished": "2020-09-11T14:14:45",
"dateReserved": "2018-12-07T00:00:00",
"dateUpdated": "2024-08-05T11:51:17.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19947 (GCVE-0-2018-19947)
Vulnerability from nvd – Published: 2020-09-11 14:14 – Updated: 2024-08-05 11:51
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Information Exposure Through an Error Message",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-210",
"description": "CWE-210 Information Exposure Through Self-generated Error Message",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-11T14:14:21",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2018-19947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this information exposure vulnerability could disclose sensitive information. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Information Exposure Through an Error Message"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-210 Information Exposure Through Self-generated Error Message"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19947",
"datePublished": "2020-09-11T14:14:21",
"dateReserved": "2018-12-07T00:00:00",
"dateUpdated": "2024-08-05T11:51:17.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19948 (GCVE-0-2018-19948)
Vulnerability from nvd – Published: 2020-09-11 14:12 – Updated: 2024-08-05 11:51
VLAI?
Summary
The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | Helpdesk |
Affected:
unspecified , < 3.0.3
(custom)
|
Credits
Independent Security Evaluators
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Helpdesk",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "3.0.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"descriptions": [
{
"lang": "en",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-11T14:12:56",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"ID": "CVE-2018-19948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Helpdesk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.0.3"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19948",
"datePublished": "2020-09-11T14:12:56",
"dateReserved": "2018-12-07T00:00:00",
"dateUpdated": "2024-08-05T11:51:17.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-202009-1222
Vulnerability from variot - Updated: 2023-12-18 12:35The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. QNAP Systems TS-870 is a NAS (Network Attached Storage) device of China QNAP Systems.
A cross-site request forgery vulnerability exists in QNAP Systems TS-870 using firmware version 4.3.4.0486. The vulnerability stems from the failure of the WEB application to fully verify whether the request comes from a trusted user. Attackers can use this vulnerability to send unexpected requests to the server through the affected client
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202009-1222",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "helpdesk",
"scope": "lt",
"trust": 1.0,
"vendor": "qnap",
"version": "3.0.3"
},
{
"model": "systems qnap systems ts-870",
"scope": "eq",
"trust": 0.6,
"vendor": "qnap",
"version": "4.3.4.0486"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"db": "NVD",
"id": "CVE-2018-19948"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:qnap:helpdesk:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.0.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-19948"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Rick Ramgattie,Shaun Mirani, Joshua Meyer, and Ian Sindermann",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
],
"trust": 0.6
},
"cve": "CVE-2018-19948",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2020-53780",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "security@qnapsecurity.com.tw",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-19948",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "security@qnapsecurity.com.tw",
"id": "CVE-2018-19948",
"trust": 1.0,
"value": "LOW"
},
{
"author": "CNVD",
"id": "CNVD-2020-53780",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201909-928",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vulnerability have been reported to affect earlier versions of Helpdesk. If exploited, this cross-site request forgery (CSRF) vulnerability could allow attackers to force NAS users to execute unintentional actions through a web application. QNAP has already fixed the issue in Helpdesk 3.0.3 and later. QNAP Systems TS-870 is a NAS (Network Attached Storage) device of China QNAP Systems. \n\r\n\r\nA cross-site request forgery vulnerability exists in QNAP Systems TS-870 using firmware version 4.3.4.0486. The vulnerability stems from the failure of the WEB application to fully verify whether the request comes from a trusted user. Attackers can use this vulnerability to send unexpected requests to the server through the affected client",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"db": "CNVD",
"id": "CNVD-2020-53780"
}
],
"trust": 1.44
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-19948",
"trust": 2.2
},
{
"db": "CNVD",
"id": "CNVD-2020-53780",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201909-928",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
]
},
"id": "VAR-202009-1222",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
}
]
},
"last_update_date": "2023-12-18T12:35:21.533000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-19948"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-05"
},
{
"trust": 0.6,
"url": "https://www.securityevaluators.com/whitepaper/sohopelessly-broken-2/"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-19948"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-09-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"date": "2020-09-11T15:15:10.993000",
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"date": "2019-09-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-09-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"date": "2020-09-16T19:20:46.457000",
"db": "NVD",
"id": "CVE-2018-19948"
},
{
"date": "2020-09-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "QNAP Systems TS-870 cross-site request forgery vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-53780"
},
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201909-928"
}
],
"trust": 0.6
}
}