Network-attached storage (NAS) maker QNAP has released security patches for multiple vulnerabilities that could allow attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.

Three of the security flaws fixed by QNAP are high severity stored cross-site scripting (XSS) vulnerabilities, which tracked as CVE-2021-34354, CVE-2021-34356 and CVE-2021-34355. They affect devices running unpatched Photo Station software with releases before 5.4.10, 5.7.13 and 6.0.18.

QNAP also patched a stored XSS (CVE-2021-38675) Image2PDF flaw impacting devices running software versions released before Image2PDF 2.1.5.

The company also addressed a command injection bug (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices running the QVR video surveillance software.

Source: bleepingcomputer.com