CVE-2021-44054

05.05.2022, 17:15

An open redirect vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero and QTS. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero and QTS: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
qnap	CNA	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 43%

Vendor	Product	Version
qnap	qts	5.0.0.1716 ≤ 𝑥 < 5.0.0.1986
qnap	qts	4.3.3.0174 ≤ 𝑥 < 4.3.3.1945
qnap	qts	4.3.4.0899 ≤ 𝑥 < 4.3.4.1976
qnap	qts	4.3.6.0895 ≤ 𝑥 < 4.3.6.1965
qnap	qts	4.4.0.0883 ≤ 𝑥 < 4.5.4.1991
qnap	qts	4.2.6:build_20170517
qnap	qts	4.2.6:build_20190322
qnap	qts	4.2.6:build_20190730
qnap	qts	4.2.6:build_20190921
qnap	qts	4.2.6:build_20191107
qnap	qts	4.2.6:build_20200109
qnap	qts	4.2.6:build_20200421
qnap	qts	4.2.6:build_20200611
qnap	qts	4.2.6:build_20200821
qnap	qts	4.2.6:build_20210327
qnap	qts	4.2.6:build_20211215

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://www.qnap.com/en/security-advisory/qsa-22-16