An unauthenticated attacker can inject JavaScript code on Q’center Virtual Appliance event log page.
“Q’center now provides Q’center Virtual Appliance that allows you to deploy Q’center in virtual environments such as Microsoft Hyper-V or VMware ESXi, Fusion and Workstation. Using Q’center as a virtual appliance further increases its flexibility and connectivity for large environments, as you no longer need a local QNAP NAS to monitor other NAS and can use an existing central server to monitor every NAS unit.” For more information visit https://www.qnap.com/solution/qcenter.
The “Log” page in the “Q’center Event” tab shows all events that occurred on the Q’center server, including failed login attempts.
Among the information reported there is the name of the account that failed the login; because this parameter is controlled by the attacker and is not sanitized before being reflected in the page, an unauthenticated attacker could inject JavaScript code which will be executed whenever a privileged user navigates to the Q’center event section.
The complete PoC code can be found on this repo.
An unauthenticated attacker could hijack a privileged user session.
Upgrade QNAP Q’Center to version 1.12.1014 or higher.
(Note: we didn’t verify the patches.)
This report was subject to Shielder’s disclosure policy:
`zi0Black` of Shielder
This advisory was first published on https://www.shielder.com/advisories/qnap-qcenter-virtual-stored-xss/
Date
3 June 2021