CVE-2021-38677 - Vulnerability Details - OpenCVE

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00324.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap Subscribe	Qcalagent Subscribe

Configuration 1 [-]

cpe:2.3:a:qnap:qcalagent:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-25116	A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later

Fixes

Solution

We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-21-60

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2022-01-14T01:00:16.519605Z

Updated: 2024-09-17T01:10:31.762Z

Reserved: 2021-08-13T00:00:00

Link: CVE-2021-38677

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-14T01:15:08.323

Modified: 2024-11-21T06:17:52.593

Link: CVE-2021-38677

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "QcalAgent", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "1.1.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Tony Martin, a security researcher"}], "datePublic": "2022-01-12T00:00:00", "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-14T01:00:16", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}], "solutions": [{"lang": "en", "value": "We have already fixed this vulnerability in the following versions of QcalAgent:\nQcalAgent 1.1.7 and later"}], "source": {"advisory": "QSA-21-60", "discovery": "EXTERNAL"}, "title": "Reflected XSS Vulnerability in QcalAgent", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2022-01-12T23:04:00.000Z", "ID": "CVE-2021-38677", "STATE": "PUBLIC", "TITLE": "Reflected XSS Vulnerability in QcalAgent"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QcalAgent", "version": {"version_data": [{"version_affected": "<", "version_value": "1.1.7"}]}}]}, "vendor_name": "QNAP Systems Inc."}]}}, "credit": [{"lang": "eng", "value": "Tony Martin, a security researcher"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/en/security-advisory/qsa-21-60", "refsource": "MISC", "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}]}, "solution": [{"lang": "en", "value": "We have already fixed this vulnerability in the following versions of QcalAgent:\nQcalAgent 1.1.7 and later"}], "source": {"advisory": "QSA-21-60", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:51:19.049Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}]}]}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2021-38677", "datePublished": "2022-01-14T01:00:16.519605Z", "dateReserved": "2021-08-13T00:00:00", "dateUpdated": "2024-09-17T01:10:31.762Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qcalagent:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E9CFB88-62F0-47FF-A86A-7E380F2A03AE", "versionEndExcluding": "1.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de tipo cross-site scripting (XSS) que afecta al dispositivo QNAP que ejecuta QcalAgent. Si es explotado, esta vulnerabilidad permite a atacantes remotos inyectar c\u00f3digo malicioso. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QcalAgent: QcalAgent 1.1.7 y posteriores"}], "id": "CVE-2021-38677", "lastModified": "2024-11-21T06:17:52.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-14T01:15:08.323", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}