Cyber Resilience

CVE-2018-19953

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 28 October 2020

Published
28 October 2020
Modified
03 November 2025
KEV Added
24 May 2022
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.3152 96.9th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-19953 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Qnap Qts. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

This cross-site scripting vulnerability, tracked as CVE-2018-19953 and assigned CWE-79 and CWE-80, affects multiple versions of QNAP QTS network-attached storage firmware. Successful exploitation enables remote attackers to inject malicious code into affected systems, as reflected in its CVSS 3.1 score of 6.1 with network attack vector, low complexity, no required privileges, and required user interaction.

An unauthenticated remote attacker can exploit the flaw by crafting a malicious link or input that a user interacts with, resulting in injected script execution that impacts confidentiality and integrity within a changed scope while leaving availability unaffected.

QNAP addressed the issue through updated builds including QTS 4.4.2.1231 (20200302), 4.4.1.1201 (20200130), 4.3.6.1218 (20200214), 4.3.4.1190 (20200107), 4.3.3.1161 (20200109), and 4.2.6 (20200109), as detailed in security advisory QSA-20-01. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214;…

more

QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
4.2.6 · ≤ 4.2.6 · 4.3.1.0013 — 4.3.3.1161 · 4.3.4 — 4.3.4.1190

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to block the malicious script injection that defines this XSS flaw (CWE-79/80).

prevent

Requires filtering of information outputs so that attacker-supplied scripts cannot be rendered and executed in user browsers.

prevent

Mandates prompt installation of vendor patches (the QTS builds listed in QSA-20-01) that eliminate the vulnerable code paths.

References