⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-14.

CVE-2018-19943Cross-site Scripting in Systems INC QTS

CWE-79Cross-site ScriptingCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)5 documents5 sources
Severity
5.4MEDIUMNVD
CNA8.0VulnCheck8.0
EPSS
7.0%
top 8.49%
CISA KEV
KEVRansomware
Added 2022-05-24
Due 2022-06-14
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Qnap Systems INC QTSQnap QTS
Timeline
PublishedOct 28
KEV addedMay 24
KEV dueJun 14
CISA Required Action: Apply updates per vendor instructions.

Description

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build 20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDqnap/qts4.3.1.00134.3.3.1252+6
CVEListV5qnap_systems_inc/qtsunspecified4.4.2.1270+5

🔴Vulnerability Details

3
GHSA
GHSA-wh89-fj9h-4gr8: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code2022-05-24
CVEList
CVE-2018-19943: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code2020-10-28
VulnCheck
QNAP NAS File Station Cross-Site Scripting Vulnerability2018

📋Vendor Advisories

1
CISA
QNAP NAS File Station Cross-Site Scripting Vulnerability2022-05-24
CVE-2018-19943 — Cross-site Scripting | cvebase