CVE-2018-19943
Published: 28 October 2020
Summary
CVE-2018-19943 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Qnap Qts. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-19943 is a cross-site scripting vulnerability, tracked under CWE-79 and CWE-80, that affects multiple versions of QNAP QTS prior to the listed fixed builds. Successful exploitation permits remote attackers to inject malicious code into the affected NAS operating system.
An attacker with low privileges can leverage the flaw over the network, though the attack requires high complexity, user interaction, and results in changed scope; the CVSS 3.1 score of 8.0 reflects high impact on confidentiality, integrity, and availability. The vulnerability enables injection of arbitrary scripts that execute in the context of other users or sessions.
QNAP security advisory QSA-20-01 states that the issues have been resolved in QTS 4.4.2.1270 build 20200410 and later, 4.4.1.1261 build 20200330 and later, 4.3.6.1263 build 20200330 and later, 4.3.4.1282 build 20200408 and later, 4.3.3.1252 build 20200409 and later, and 4.2.6 build 20200421 and later. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-11614
Vulnerability details
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build…
more
20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to block the arbitrary script injection that defines this XSS flaw.
Mandates timely application of the vendor patches listed in QSA-20-01 that eliminate the vulnerable code paths.
Requires output filtering/encoding that can neutralize injected scripts before they execute in other users' sessions.