CVE-2021-38680 - OpenCVE

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.20 and later

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Qnap	Kazoo Server

Configuration 1 [-]

cpe:2.3:a:qnap:kazoo_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.qnap.com/en/security-advisory/qsa-21-54	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: qnap

Published: 2021-12-09T00:00:00

Updated: 2021-12-29T13:05:13

Reserved: 2021-08-13T00:00:00

Link: CVE-2021-38680

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-12-29T13:15:07.963

Modified: 2022-01-07T18:31:17.317

Link: CVE-2021-38680

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Kazoo Server", "vendor": "Linn Products Limited", "versions": [{"lessThan": "4.11.20", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "XUELIANG SUN"}], "datePublic": "2021-12-09T00:00:00", "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.20 and later"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-29T13:05:13", "orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-54"}], "solutions": [{"lang": "en", "value": "We have already fixed this vulnerability in the following versions of Kazoo Server:\nKazoo Server 4.11.20 and later\n"}], "source": {"advisory": "QSA-21-54", "discovery": "EXTERNAL"}, "title": "Reflected XSS in Kazoo Server", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@qnap.com", "DATE_PUBLIC": "2021-12-09T21:38:00.000Z", "ID": "CVE-2021-38680", "STATE": "PUBLIC", "TITLE": "Reflected XSS in Kazoo Server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kazoo Server", "version": {"version_data": [{"version_affected": "<", "version_value": "4.11.20"}]}}]}, "vendor_name": "Linn Products Limited"}]}}, "credit": [{"lang": "eng", "value": "XUELIANG SUN"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.20 and later"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.qnap.com/en/security-advisory/qsa-21-54", "refsource": "MISC", "url": "https://www.qnap.com/en/security-advisory/qsa-21-54"}]}, "solution": [{"lang": "en", "value": "We have already fixed this vulnerability in the following versions of Kazoo Server:\nKazoo Server 4.11.20 and later\n"}], "source": {"advisory": "QSA-21-54", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "assignerShortName": "qnap", "cveId": "CVE-2021-38680", "datePublished": "2021-12-09T00:00:00", "dateReserved": "2021-08-13T00:00:00", "dateUpdated": "2021-12-29T13:05:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qnap:kazoo_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEB93307-26C9-421B-8B78-FD659FEA57B2", "versionEndExcluding": "4.11.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Kazoo Server. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of Kazoo Server: Kazoo Server 4.11.20 and later"}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de tipo cross-site scripting (XSS)que afecta al dispositivo de QNAP que ejecuta Kazoo Server. Si es explotado, esta vulnerabilidad permite a atacantes remotos inyectar c\u00f3digo malicioso. Ya hemos corregido esta vulnerabilidad en las siguientes versiones de Kazoo Server: Kazoo Server 4.11.20 y posteriores"}], "id": "CVE-2021-38680", "lastModified": "2022-01-07T18:31:17.317", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2021-12-29T13:15:07.963", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-21-54"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}