Detections
Analytics

Qnap QTS Cross-site Scripting (CVE-2018-19953)

medium Tenable OT Security Plugin ID 502486

Synopsis

The remote OT asset is affected by a vulnerability.

Description

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302;
QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214;
QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109;
QTS 4.2.6 on build 20200109.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

https://www.qnap.com/zh-tw/security-advisory/qsa-20-01

Plugin Details

Severity: Medium

ID: 502486

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 10/16/2024

Updated: 10/17/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-19953

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:qnap:qts:4.4.1, cpe:/o:qnap:qts:4.3.3, cpe:/o:qnap:qts:4.3.4, cpe:/o:qnap:qts:4.3.6, cpe:/o:qnap:qts:4.2.6, cpe:/o:qnap:qts:4.4.2

Required KB Items: Tenable.ot/Qnap

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/28/2020

Vulnerability Publication Date: 10/28/2020

CISA Known Exploited Vulnerability Due Dates: 6/14/2022

Reference Information

CVE: CVE-2018-19953

CWE: 79, 80