CVE-2020-36195

17.04.2021, 04:15

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
qnap	CNA	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 82%

Vendor	Product	Version
qnap	qts	𝑥 < 4.3.3
qnap	qts	4.3.4 ≤ 𝑥 < 4.3.6
qnap	qts	4.3.3
qnap	qts	4.3.3.0095
qnap	qts	4.3.3.0096
qnap	qts	4.3.3.0136
qnap	qts	4.3.3.0154
qnap	qts	4.3.3.0174
qnap	qts	4.3.3.0188
qnap	qts	4.3.3.0210
qnap	qts	4.3.3.0229
qnap	qts	4.3.3.0238
qnap	qts	4.3.3.0262
qnap	qts	4.3.3.0299
qnap	qts	4.3.3.0351
qnap	qts	4.3.3.0353
qnap	qts	4.3.3.0361
qnap	qts	4.3.3.0369
qnap	qts	4.3.3.0378
qnap	qts	4.3.3.0396
qnap	qts	4.3.3.0404
qnap	qts	4.3.3.0416
qnap	qts	4.3.3.0418
qnap	qts	4.3.3.0448
qnap	qts	4.3.3.0514
qnap	qts	4.3.3.0546
qnap	qts	4.3.3.0570
qnap	qts	4.3.3.0868
qnap	qts	4.3.3.0998
qnap	qts	4.3.3.1051
qnap	qts	4.3.3.1098
qnap	qts	4.3.3.1161
qnap	qts	4.3.3.1252
qnap	qts	4.3.3.1315
qnap	qts	4.3.3.1386
qnap	qts	4.3.3.1432
qnap	qts	4.3.6
qnap	qts	4.3.6.0895
qnap	qts	4.3.6.0907
qnap	qts	4.3.6.0923
qnap	qts	4.3.6.0944
qnap	qts	4.3.6.0959
qnap	qts	4.3.6.0979
qnap	qts	4.3.6.0993
qnap	qts	4.3.6.1013
qnap	qts	4.3.6.1033
qnap	qts	4.3.6.1070
qnap	qts	4.3.6.1154
qnap	qts	4.3.6.1218
qnap	qts	4.3.6.1263
qnap	qts	4.3.6.1286
qnap	qts	4.3.6.1333
qnap	qts	4.3.6.1411
qnap	qts	4.3.6.1446
qnap	media_streaming_add-on	𝑥 < 430.1.8.10
qnap	media_streaming_add-on	𝑥 < 430.1.8.8
qnap	multimedia_console	𝑥 < 1.3.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://www.qnap.com/en/security-advisory/qsa-21-11