CVE-2020-2503 CRITICAL

CVE-2020-2503: Stored cross-site scripting vulnerability in QES

Vendor Qnap Systems Inc.

Product QES

Weakness CWE-79 · XSS

Published December 24, 2020

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

9.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

Key dates

02Disclosure timeline

December 24, 2020 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-2503 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-38364 IBM CICS TX Advanced cross-site scripting CVE-2023-33211 WordPress WP-Piwik Plugin <= 1.0.27 is vulnerable to Cross Site Scripting (XSS) CVE-2021-24418 Smooth Scroll Page Up/Down Buttons <= 1.4 - Authenticated Stored XSS via psb_positioning CVE-2024-51920 WordPress Map Store Locator plugin <= 1.2.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-29811 WordPress Radio Player plugin <= 2.0.73 - Cross Site Scripting (XSS) vulnerability