A vulnerability was found in QNAP Proxy Server up to 1.2.0 (Firewall Software) and classified as problematic. This issue affects an unknown functionality. The manipulation with an unknown input leads to a cross site scripting vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is:

Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to inject arbitrary web script or HTML.

The weakness was published 06/01/2018 as NAS-201806-01 as confirmed security advisory (Website). The advisory is shared at qnap.com. The identification of this vulnerability is CVE-2017-7636. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Upgrading to version 1.2.1 or 1.3.0 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityTracker (ID 1041025†). Similar entries are available at VDB-118804, VDB-118806 and VDB-118807.

Productinfo

Type

• Firewall Software

Vendor

• QNAP

Name

• Proxy Server

Version

• 1.0
• 1.1
• 1.2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion