October 1, 2021

QNAP, the manufacturer of Network Storage (NAS) recently released security patches to fix several vulnerabilities that allow attackers to remotely inject and execute malicious close and commands on vulnerable NAS devices.

Some of the patched vulnerabilities include three serious XSS vulnerabilities traced as CVE-2021-34354, CBE-2021-34356, and CVE-2021-34355.

They affect devices that released unpatched Photo Station program versions prior to 5.4.10, 5.7.13, or 6.0.18, a stored XSS Image2PDF bug affecting systems using software versions released prior to Image2PDF 2.1.5, a command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EQL) devices running QVR IP video surveillance software that could ultimately help attackers execute arbitrary commands.

Apart from this, QNAP has also patched three other QVR vulnerabilities with critical severity in the recently released security advisory.

Users are recommended to upgrade their NAS to the latest version of Photo Station or Image PDF and QVR monitoring software.

For more information, read the original story in Bleeping Computer