Security ID: NAS-201811-29 Vulnerability: XSS Vulnerability in Qsync Central Release Date: November 29, 2018 CVE Identifier: CVE-2018-0716 Affected Products: - QTS 4.2.6 build 20180711 and earlier versions - QTS 4.3.3: Qsync Central 3.0.2 and earlier versions - QTS 4.3.4: Qsync Central 3.0.3 and earlier versions - QTS 4.3.5: Qsync Central 3.0.4 and earlier versions Severity: Important Status: Resolved Summary: A cross-site scripting vulnerability affecting Qsync Central allows remote attackers to inject Javascript code into the application. Resolution: - QTS 4.2.6: build 20180829 and later - QTS 4.3.3: Qsync Central 3.0.2.01 and later - QTS 4.3.4: Qsync Central 3.0.3.01 and later - QTS 4.3.5: Qsync Central 3.0.4.01 and later Recommendation: - Update QTS to the latest version for QTS 4.2.6. - Update Qsync Central to the latest version for QTS 4.3.3, 4.3.4, and 4.3.5. Acknowledgements: Marcin Zieba, information security researcher and pentester