CVE-2021-28807
HIGHQNAP Q'center < 1.12.1012 - Authenticated Reflected Cross-Site Scripting
Title source: llmDescription
A post-authentication reflected XSS vulnerability has been reported to affect QNAP NAS running Q’center. If exploited, this vulnerability allows remote attackers to inject malicious code. QNAP have already fixed this vulnerability in the following versions of Q’center: QTS 4.5.3: Q’center v1.12.1012 and later QTS 4.3.6: Q’center v1.10.1004 and later QTS 4.3.3: Q’center v1.10.1004 and later QuTS hero h4.5.2: Q’center v1.12.1012 and later QuTScloud c4.5.4: Q’center v1.12.1012 and later
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.qnap.com/zh-tw/security-advisory/qsa-21-20
Exploit, Third Party Advisory x_refsource_misc
https://www.shielder.it/advisories/qnap-qcenter-virtual-stored-xss/
Exploit, Third Party Advisory x_refsource_misc
https://www.shielder.it/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg/
Scores
CVSS v3
7.7
EPSS
0.0036
EPSS Percentile
58.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-79
Status
published
Products (1)
qnap/q\'center
< 1.12.1012
Published
Jun 03, 2021
Tracked Since
Feb 18, 2026