CVE-2020-2503 — Cross-site Scripting in Systems INC QES

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-749 — Exposed Dangerous Method or Function CWE-282 — Improper Ownership Management4 documents4 sources

Severity

5.4MEDIUMNVD

CNA9.0

EPSS

0.3%

top 47.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC QES Qnap QES

Timeline

PublishedDec 24

Latest updateMay 24

Description

If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDqnap/qes< 2.1.1+1

▶CVEListV5qnap_systems_inc/qesunspecified — 2.1.1

🔴Vulnerability Details

GHSA

GHSA-v96c-c8j8-qhm7: If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station↗2022-05-24

▶

CVEList

Stored cross-site scripting vulnerability in QES↗2020-12-24

▶

📋Vendor Advisories

Red Hat

mariadb: Named pipe permission issue on Windows↗2020-11-18

▶