“Q’center now provides Q’center Virtual Appliance that allows you to deploy Q’center in virtual environments such as Microsoft Hyper-V or VMware ESXi, Fusion and Workstation. Using Q’center as a virtual appliance further increases its flexibility and connectivity for large environments, as you no longer need a local QNAP NAS to monitor other NAS and can use an existing central server to monitor every NAS unit.” For more information visit https://www.qnap.com/solution/qcenter.
The “Log” page in the “Q’center Event” tab shows all events that occurred on the Q’center server, including failed login attempts.
The complete PoC code can be found on this repo.
An unauthenticated attacker could hijack a privileged user session.
Upgrade QNAP Q’Center to version 1.12.1014 or higher.
(Note: we didn’t verify the patches.)
This report was subject to Shielder’s disclosure policy:
`zi0Black` of Shielder
This advisory was first published on https://www.shielder.com/advisories/qnap-qcenter-virtual-stored-xss/
3 June 2021