⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-14.

CVE-2018-19953Cross-site Scripting in Systems INC QTS

CWE-79Cross-site ScriptingCWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
31.5%
top 3.21%
CISA KEV
KEVRansomware
Added 2022-05-24
Due 2022-06-14
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Qnap Systems INC QTSQnap QTS
Timeline
PublishedOct 28
KEV addedMay 24
KEV dueJun 14
CISA Required Action: Apply updates per vendor instructions.

Description

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDqnap/qts4.3.1.00134.3.3.1161+6
CVEListV5qnap_systems_inc/qtsunspecified4.4.2.1231+5

🔴Vulnerability Details

3
GHSA
GHSA-8h8x-7j55-4jp9: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code2022-05-24
CVEList
CVE-2018-19953: If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code2020-10-28
VulnCheck
QNAP NAS File Station Cross-Site Scripting Vulnerability2018

📋Vendor Advisories

1
CISA
QNAP NAS File Station Cross-Site Scripting Vulnerability2022-05-24
CVE-2018-19953 — Cross-site Scripting | cvebase