CVE-2018-19953
Published: 28 October 2020
Summary
CVE-2018-19953 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Qnap Qts. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
This cross-site scripting vulnerability, tracked as CVE-2018-19953 and assigned CWE-79 and CWE-80, affects multiple versions of QNAP QTS network-attached storage firmware. Successful exploitation enables remote attackers to inject malicious code into affected systems, as reflected in its CVSS 3.1 score of 6.1 with network attack vector, low complexity, no required privileges, and required user interaction.
An unauthenticated remote attacker can exploit the flaw by crafting a malicious link or input that a user interacts with, resulting in injected script execution that impacts confidentiality and integrity within a changed scope while leaving availability unaffected.
QNAP addressed the issue through updated builds including QTS 4.4.2.1231 (20200302), 4.4.1.1201 (20200130), 4.3.6.1218 (20200214), 4.3.4.1190 (20200107), 4.3.3.1161 (20200109), and 4.2.6 (20200109), as detailed in security advisory QSA-20-01. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-11624
Vulnerability details
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214;…
more
QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input to block the malicious script injection that defines this XSS flaw (CWE-79/80).
Requires filtering of information outputs so that attacker-supplied scripts cannot be rendered and executed in user browsers.
Mandates prompt installation of vendor patches (the QTS builds listed in QSA-20-01) that eliminate the vulnerable code paths.