CVE-2020-36195

CVSS V2 High 7.5 CVSS V3 Critical 9.8
Description
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia Console and the Media Streaming add-on. QTS 4.3.3: Media Streaming add-on 430.1.8.10 and later QTS 4.3.6: Media Streaming add-on 430.1.8.8 and later QTS 4.4.x and later: Multimedia Console 1.3.4 and later We have also fixed this vulnerability in the following versions of QTS 4.3.3 and QTS 4.3.6, respectively: QTS 4.3.3.1624 Build 20210416 or later QTS 4.3.6.1620 Build 20210322 or later
Overview
  • CVE ID
  • CVE-2020-36195
  • Assigner
  • security@qnapsecurity.com.tw
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2021-04-17T04:15:11
  • Last Modified Date
  • 2021-04-23T14:12:11
Weakness Enumerations
CWE URL
CWE-89 http://cwe.mitre.org/data/definitions/89.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:* 1 OR 4.3.3
cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:* 1 OR 4.3.4 4.3.6
cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0095:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0096:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0136:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0154:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0174:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0188:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0210:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0229:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0238:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0262:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0299:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0351:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0353:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0361:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0369:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0378:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0396:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0404:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0416:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0418:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0448:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0514:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0546:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0570:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0868:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.0998:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1051:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1098:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1161:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1252:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1315:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1386:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.3.1432:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6:-:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0895:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0907:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0923:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0944:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0959:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0979:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.0993:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1013:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1033:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1070:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1154:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1218:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1263:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1286:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1333:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1411:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:qnap:qts:4.3.6.1446:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:a:qnap:media_streaming_add-on:*:*:*:*:*:*:*:* 1 OR 430.1.8.10
cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:qnap:media_streaming_add-on:*:*:*:*:*:*:*:* 1 OR 430.1.8.8
cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:qnap:multimedia_console:*:*:*:*:*:*:*:* 1 OR 1.3.4
cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:* 0 OR 4.4.0
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:P/I:P/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • PARTIAL
  • Base Score
  • 7.5
  • Severity
  • HIGH
  • Exploitability Score
  • 10
  • Impact Score
  • 6.4
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 9.8
  • Base Severity
  • CRITICAL
  • Exploitability Score
  • 3.9
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://www.qnap.com/en/security-advisory/qsa-21-11 Vendor Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36195
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36195
History
Created Old Value New Value Data Type Notes
2022-05-10 07:14:35 Added to TrackCVE
2022-12-06 02:04:31 security@qnap.com security@qnapsecurity.com.tw CVE Assigner updated
2022-12-06 02:04:31 2021-04-17T04:15Z 2021-04-17T04:15:11 CVE Published Date updated
2022-12-06 02:04:31 2021-04-23T14:12:11 CVE Modified Date updated
2022-12-06 02:04:31 Analyzed Vulnerability Status updated