CVE-2021-38681

Published: Nov 20, 2021Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

A reflected cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Ragic Cloud DB. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already disabled and removed Ragic Cloud DB from the QNAP App Center, pending a security patch from Ragic.

Affected (1)

Products: Qnap: Ragic Cloud Db

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Qnap Ragic Cloud Db	Up to 3.7.0.1

Running on/with	Platform Versions
Qnap Nas	All versions

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://www.qnap.com/en/security-advisory/qsa-21-48

Source: security@qnapsecurity.com.tw

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-21-48

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.