CVE-2021-28799
Severity CVSS v4.0:
Pending analysis
Type:
CWE-285
Improper Authorization
Publication date:
13/05/2021
Last modified:
12/03/2025
Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Impact
Base Score 3.x
10.00
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | 16.0.0415 (excluding) | |
| cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | 3.0.210412 (excluding) | |
| cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | 3.0.210411 (excluding) | |
| cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | 16.0.0419 (excluding) | |
| cpe:2.3:o:qnap:quts_hero:h4.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* | 16.0.0419 (excluding) | |
| cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:* | c4.5.1 (including) | c4.5.4 (including) |
To consult the complete list of CPE names with products and versions, see this page