CVE-2021-38678 - Vulnerability Details - OpenCVE

An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00169.

Key SSVC decision points have not yet been added.

Vendors	Products
Qnap	Qcalagent

Configuration 1 [-]

cpe:2.3:a:qnap:qcalagent:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-25117	An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later

Fixes

Solution

We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.qnap.com/en/security-advisory/qsa-21-60

History

No history.

MITRE

Status: PUBLISHED

Assigner: qnap

Published: 2022-01-14T01:00:17.962964Z

Updated: 2024-09-17T03:59:41.622Z

Reserved: 2021-08-13T00:00:00

Link: CVE-2021-38678

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-14T01:15:08.423

Modified: 2024-11-21T06:17:52.737

Link: CVE-2021-38678

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "QcalAgent", "vendor": "QNAP Systems Inc.", "versions": [{"lessThan": "1.1.7", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Tony Martin, a security researcher"}], "datePublic": "2022-01-12T00:00:00", "descriptions": [{"lang": "en", "value": "An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-14T01:00:17", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}], "solutions": [{"lang": "en", "value": "We have already fixed this vulnerability in the following versions of QcalAgent:\nQcalAgent 1.1.7 and later"}], "source": {"advisory": "QSA-21-60", "discovery": "EXTERNAL"}, "title": "Open Redirect Vulnerability in QcalAgent", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2022-01-12T22:58:00.000Z", "ID": "CVE-2021-38678", "STATE": "PUBLIC", "TITLE": "Open Redirect Vulnerability in QcalAgent"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "QcalAgent", "version": {"version_data": [{"version_affected": "<", "version_value": "1.1.7"}]}}]}, "vendor_name": "QNAP Systems Inc."}]}}, "credit": [{"lang": "eng", "value": "Tony Martin, a security researcher"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/en/security-advisory/qsa-21-60", "refsource": "MISC", "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}]}, "solution": [{"lang": "en", "value": "We have already fixed this vulnerability in the following versions of QcalAgent:\nQcalAgent 1.1.7 and later"}], "source": {"advisory": "QSA-21-60", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:51:19.187Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}]}]}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2021-38678", "datePublished": "2022-01-14T01:00:17.962964Z", "dateReserved": "2021-08-13T00:00:00", "dateUpdated": "2024-09-17T03:59:41.622Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:qcalagent:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E9CFB88-62F0-47FF-A86A-7E380F2A03AE", "versionEndExcluding": "1.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An open redirect vulnerability has been reported to affect QNAP device running QcalAgent. If exploited, this vulnerability allows attackers to redirect users to an untrusted page that contains malware. We have already fixed this vulnerability in the following versions of QcalAgent: QcalAgent 1.1.7 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de redireccionamiento abierto que afecta al dispositivo QNAP que ejecuta QcalAgent. Si es explotado, esta vulnerabilidad permite a atacantes redirigir a usuarios a una p\u00e1gina no confiable que contiene malware. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de QcalAgent: QcalAgent 1.1.7 y posteriores"}], "id": "CVE-2021-38678", "lastModified": "2024-11-21T06:17:52.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-14T01:15:08.423", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-60"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security@qnapsecurity.com.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}