What is CVE-2018-19953?

CVE-2018-19953 is a vulnerability in Qnap Systems Inc. Qts, classified under Cross-site Scripting. Published 2020-10-28.

Is CVE-2018-19953 known to be exploited?

Yes. CVE-2018-19953 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-05-24), indicating it is being actively exploited. 3 public proof-of-concept repositories are indexed.

XSS in Qnap Systems Inc. Qts

CVE-2018-19953

If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.315 (96.9th percentile) — read the EPSS interpretation.

Affected products

Qnap Systems Inc. Qts — versions unspecified

Weakness classification (CWE)

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-05-24. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-06-14.

Required action: Apply updates per vendor instructions.

Known ransomware campaign use: yes.

Public proof-of-concept exploits

References

www.qnap.com/zh-tw/security-advisory/qsa-20-01 (x_refsource_MISC)

Frequently asked questions

What is CVE-2018-19953?: CVE-2018-19953 is a vulnerability in Qnap Systems Inc. Qts, classified under Cross-site Scripting. Published 2020-10-28.
Is CVE-2018-19953 known to be exploited?: Yes. CVE-2018-19953 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-05-24), indicating it is being actively exploited. 3 public proof-of-concept repositories are indexed.