QNAP Photo Station XSS Vulnerability (CVE-2020-2491) Advisory and Patch

--- Vulnerability Overview Security ID: QSA-20-15 Vulnerability Name: Cross-site Scripting Vulnerability in Photo Station Release Date: December 7, 2020 CVE Identifier: CVE-2020-2491 Affected Product: QNAP NAS running Photo Station --- Severity & Status Severity: Important Status: Resolved --- Vulnerability Summary This cross-site scripting vulnerability allows remote attackers to inject malicious code into Photo Station. The vulnerability has been fixed in the following versions: QTS 4.5.1: Photo Station 6.0.12 and later QTS 4.4.3: Photo Station 6.0.12 and later QTS 4.3.6: Photo Station 5.7.12 and later QTS 4.3.4: Photo Station 5.7.13 and later QTS 4.3.3: Photo Station 5.4.10 and later QTS 4.2.6: Photo Station 5.2.11 and later --- Recommended Actions To resolve this issue, users are advised to update Photo Station to the latest available version. --- Update Instructions 1. Log in to QTS as an administrator. 2. Open App Center and click the search icon. 3. Type “Photo Station” and press Enter. 4. Click the Update button. 5. Click Confirm to complete the update. --- Acknowledgments Acknowledgment: Jan Hoff --- This information highlights the severity, scope of impact, and remediation steps for the vulnerability, enabling users to promptly update their systems and mitigate potential security risks.

Goal Reached Thanks to every supporter — we hit 100%!

QNAP Photo Station XSS Vulnerability (CVE-2020-2491) Advisory and Patch