“Q’center now provides Q’center Virtual Appliance that allows you to deploy Q’center in virtual environments such as Microsoft Hyper-V or VMware ESXi, Fusion and Workstation. Using Q’center as a virtual appliance further increases its flexibility and connectivity for large environments, as you no longer need a local QNAP NAS to monitor other NAS and can use an existing central server to monitor every NAS unit.” For more information visit https://www.qnap.com/solution/qcenter.
The “Log” page in the “Q’center Event” tab shows all events that occurred on the Q’center server, including failed login attempts.
The full PoC code will be released at a later time on this repo.
An unauthenticated attacker could hijack a privileged user session.
Upgrade QNAP Q’Center to version 1.12.1014 or higher.
(Note: we didn’t verify the patches.)
This report was subject to Shielder’s disclosure policy:
`zi0Black` of Shielder
This advisory was first published on https://www.shielder.it/it/advisories/qnap-qcenter-virtual-stored-xss/
3 June 2021