Cyber Resilience

CVE-2018-19943

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 28 October 2020

Published
28 October 2020
Modified
03 November 2025
KEV Added
24 May 2022
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0703 91.7th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-19943 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Qnap Qts. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 8.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-19943 is a cross-site scripting vulnerability, tracked under CWE-79 and CWE-80, that affects multiple versions of QNAP QTS prior to the listed fixed builds. Successful exploitation permits remote attackers to inject malicious code into the affected NAS operating system.

An attacker with low privileges can leverage the flaw over the network, though the attack requires high complexity, user interaction, and results in changed scope; the CVSS 3.1 score of 8.0 reflects high impact on confidentiality, integrity, and availability. The vulnerability enables injection of arbitrary scripts that execute in the context of other users or sessions.

QNAP security advisory QSA-20-01 states that the issues have been resolved in QTS 4.4.2.1270 build 20200410 and later, 4.4.1.1261 build 20200330 and later, 4.3.6.1263 build 20200330 and later, 4.3.4.1282 build 20200408 and later, 4.3.3.1252 build 20200409 and later, and 4.2.6 build 20200421 and later. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation.

EU & UK References

Vulnerability details

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed these issues in the following QTS versions. QTS 4.4.2.1270 build 20200410 and later QTS 4.4.1.1261 build 20200330 and later QTS 4.3.6.1263 build…

more

20200330 and later QTS 4.3.4.1282 build 20200408 and later QTS 4.3.3.1252 build 20200409 and later QTS 4.2.6 build 20200421 and later

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
4.2.6 · ≤ 4.2.6 · 4.3.1.0013 — 4.3.3.1252 · 4.3.4 — 4.3.4.1282

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to block the arbitrary script injection that defines this XSS flaw.

prevent

Mandates timely application of the vendor patches listed in QSA-20-01 that eliminate the vulnerable code paths.

prevent

Requires output filtering/encoding that can neutralize injected scripts before they execute in other users' sessions.

References