Security ID : QSA-21-11
SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On
Release date : April 16, 2021
CVE identifier : CVE-2020-36195
Affected products: QNAP NAS running Multimedia Console or the Media Streaming add-on
Severity
Critical
Status
Resolved
Summary
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on.
If exploited, the vulnerability allows remote attackers to obtain application information.
We have already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on.
- QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later
- QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later
- QTS 4.4.x and later: Multimedia Console 1.3.4 and later
We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively:
- QTS 4.3.3.1624 Build 20210416 and later
- QTS 4.3.6.1620 Build 20210322 and later
Recommendation
To fix the vulnerability, we recommend updating Multimedia Console or the Media Streaming add-on to the latest version. Additionally for devices running QTS 4.3.3 and QTS 4.3.6, updating QTS is highly recommended.
Updating QTS
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Updating Multimedia Console
- Log on to QTS as administrator.
- Open the App Center and then click .
A search box appears. - Type “Multimedia Console” and then press ENTER.
Multimedia Console appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Multimedia Console is already up to date. - Click OK.
The application is updated.
Updating the Media Streaming Add-On
- Log on to QTS as administrator.
- Open the App Center and then click .
A search box appears. - Type “Media Streaming add-on” and then press ENTER.
The Media Streaming add-on appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Media Streaming add-on is already up to date. - Click OK.
The application is updated.
Acknowledgements: Yaniv Puyeski
Revision History:
V2.0 (April 29, 2021) - Minor correction
V1.0 (April 16, 2021) - Published