Security ID : QSA-21-21
Command Injection Vulnerability in Video Station
Release date : June 3, 2021
CVE identifier : CVE-2021-28812
Affected products: QNAP NAS running Video Station
Severity
High
Status
Resolved
Summary
A command injection vulnerability has been reported to affect certain versions of Video Station. If exploited, this vulnerability allows remote attackers to execute arbitrary commands.
We have already fixed the issue in the following versions:
- QTS 4.5.2: Video Station 5.5.4 and later
- QuTS hero h4.5.2: Video Station 5.5.4 and later
- QuTScloud c4.5.4: Video Station 5.5.4 and later
QNAP NAS running the following versions are not affected:
- QTS 4.3.6: Video Station 5.3.11 and later
- QTS 4.3.3: Video Station 5.1.6 and later
Recommendation
To fix the vulnerability, we recommend updating Video Station to the latest version.
Updating Video Station
- Log on to QTS or QuTS hero as administrator.
- Open the App Center and then click .
A search box appears. - Type “Video Station” and then press ENTER.
Video Station appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Video Station is already up to date. - Click OK.
The application is updated.
Acknowledgements: Thomas Fady
Revision History: V1.0 (June 3, 2021) - Published