critical
9.8
CWE
89 20 943
Advisory Published
Updated

CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On

First published: Fri Apr 16 2021(Updated: )

An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later

Credit: security@qnapsecurity.com.tw

Affected SoftwareAffected VersionHow to fix
QNAP QTS<4.3.3
QNAP QTS>=4.3.4<4.3.6
QNAP QTS=4.3.3
QNAP QTS=4.3.3.0095
QNAP QTS=4.3.3.0096
QNAP QTS=4.3.3.0136
QNAP QTS=4.3.3.0154
QNAP QTS=4.3.3.0174
QNAP QTS=4.3.3.0188
QNAP QTS=4.3.3.0210
QNAP QTS=4.3.3.0229
QNAP QTS=4.3.3.0238
QNAP QTS=4.3.3.0262
QNAP QTS=4.3.3.0299
QNAP QTS=4.3.3.0351
QNAP QTS=4.3.3.0353
QNAP QTS=4.3.3.0361
QNAP QTS=4.3.3.0369
QNAP QTS=4.3.3.0378
QNAP QTS=4.3.3.0396
QNAP QTS=4.3.3.0404
QNAP QTS=4.3.3.0416
QNAP QTS=4.3.3.0418
QNAP QTS=4.3.3.0448
QNAP QTS=4.3.3.0514
QNAP QTS=4.3.3.0546
QNAP QTS=4.3.3.0570
QNAP QTS=4.3.3.0868
QNAP QTS=4.3.3.0998
QNAP QTS=4.3.3.1051
QNAP QTS=4.3.3.1098
QNAP QTS=4.3.3.1161
QNAP QTS=4.3.3.1252
QNAP QTS=4.3.3.1315
QNAP QTS=4.3.3.1386
QNAP QTS=4.3.3.1432
QNAP QTS=4.3.6
QNAP QTS=4.3.6.0895
QNAP QTS=4.3.6.0907
QNAP QTS=4.3.6.0923
QNAP QTS=4.3.6.0944
QNAP QTS=4.3.6.0959
QNAP QTS=4.3.6.0979
QNAP QTS=4.3.6.0993
QNAP QTS=4.3.6.1013
QNAP QTS=4.3.6.1033
QNAP QTS=4.3.6.1070
QNAP QTS=4.3.6.1154
QNAP QTS=4.3.6.1218
QNAP QTS=4.3.6.1263
QNAP QTS=4.3.6.1286
QNAP QTS=4.3.6.1333
QNAP QTS=4.3.6.1411
QNAP QTS=4.3.6.1446
Qnap Media Streaming Add-on<430.1.8.10
QNAP QTS=4.3.3
Qnap Media Streaming Add-on<430.1.8.8
QNAP QTS=4.3.6
Qnap Multimedia Console<1.3.4
QNAP QTS>=4.4.0

Remedy

QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2020-36195?

    The severity of CVE-2020-36195 is rated as critical with a severity value of 9.8.

  • How do I check if my QNAP NAS is affected by CVE-2020-36195?

    Check if your QNAP NAS is running Multimedia Console or the Media Streaming add-on with vulnerable versions mentioned in the advisory.

  • Is there a fix available for CVE-2020-36195?

    Yes, QNAP has released fixes for this vulnerability in specific versions of Multimedia Console and Media Streaming add-on.

  • What can happen if CVE-2020-36195 is exploited?

    If exploited, remote attackers can obtain application information from the affected QNAP NAS devices.

  • Where can I find more information about CVE-2020-36195?

    You can find more information about CVE-2020-36195 on the QNAP security advisory QSA-21-11.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203