CVE-2018-19957 vulnerability in QNAP Products
Published on September 10, 2021
Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud
A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fixed this vulnerability in the following versions: QTS 4.5.4.1715 build 20210630 and later QuTS hero h4.5.4.1771 build 20210825 and later QuTScloud c4.5.6.1755 build 20210809 and later
Weakness Type
What is a Clickjacking Vulnerability?
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.
CVE-2018-19957 has been classified to as a Clickjacking vulnerability or weakness.
Products Associated with CVE-2018-19957
Want to know whenever a new CVE is published for QNAP products? stack.watch will email you.
Affected Versions
QNAP Systems Inc. QTS:- Version unspecified and below 4.5.4.1715 build 20210630 is affected.
- Version unspecified and below h4.5.4.1771 build 20210825 is affected.
- Version unspecified and below c4.5.6.1755 build 20210809 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.