CVE-2021-34354 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2021-34354?

CVE-2021-34354 has a CVSS score of 7.6 (HIGH). This cross-site scripting (XSS) vulnerability in QNAP Photo Station allows remote attackers to inject malicious JavaScript code into web pages viewed by other users. It affects QNAP NAS devices running vulnerable versions of Photo Station, potentially compromising user sessions and device security.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in QNAP Photo Station allows remote attackers to inject malicious JavaScript code into web pages viewed by other users. It affects QNAP NAS devices running vulnerable versions of Photo Station, potentially compromising user sessions and device security.

💻 Affected Systems

Products:

QNAP Photo Station

Versions: All versions before Photo Station 6.0.18

Operating Systems: QTS (QNAP Turbo NAS Operating System)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects QNAP NAS devices with Photo Station installed. The vulnerability exists in the web interface component.

📦 What is this software?

Photo Station by Qnap

View all CVEs affecting Photo Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, install malware, pivot to internal networks, or completely compromise the QNAP device and connected systems.

🟠

Likely Case

Session hijacking, credential theft, defacement of Photo Station interface, or delivery of malware to authenticated users.

🟢

If Mitigated

Limited to interface manipulation within Photo Station if proper network segmentation and web application firewalls are in place.

🌐 Internet-Facing: HIGH - Photo Station is often exposed to the internet for remote photo access, making exploitation trivial if vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to escalate privileges or move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly weaponized. The advisory suggests remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Photo Station 6.0.18 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-21-41

Restart Required: Yes

Instructions:

1. Log into QNAP NAS web interface. 2. Open App Center. 3. Check for Photo Station updates. 4. Install Photo Station 6.0.18 or later. 5. Restart Photo Station service or the entire NAS if prompted.

🔧 Temporary Workarounds

Disable Photo Station

all

Temporarily disable Photo Station if immediate patching isn't possible

Log into QNAP web interface > App Center > Photo Station > Disable

Network Isolation

all

Restrict access to Photo Station web interface using firewall rules

QNAP firewall: Control Panel > Security > Firewall > Add rule to block external access to Photo Station ports

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Restrict Photo Station access to trusted IP addresses only using network ACLs

🔍 How to Verify

Check if Vulnerable:

Check Photo Station version in QNAP App Center. If version is below 6.0.18, the system is vulnerable.

Check Version:

Via SSH: cat /etc/config/uLinux.conf | grep photo_station_version

Verify Fix Applied:

Confirm Photo Station version is 6.0.18 or higher in App Center after update.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in web server logs
Multiple failed XSS attempts in Photo Station access logs
Unexpected iframe or script tags in Photo Station interface

Network Indicators:

Suspicious JavaScript in HTTP requests to Photo Station endpoints
Unexpected redirects from Photo Station URLs

SIEM Query:

source="qnap_logs" AND ("photo_station" OR "photostation") AND ("script" OR "javascript" OR "onload" OR "onerror")

📊 Metadata

CVE ID: CVE-2021-34354

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE: CWE-79

Published: October 1, 2021

Last Updated: November 21, 2024

🔗 References

https://www.qnap.com/en/security-advisory/qsa-21-41 Mitigation,Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-21-41 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34354, you might also want to check these: