QNAP Systems announced the release of patches for cross-site scripting (XSS) bug (CVE-2021-38674) in the TFTP Server in QTS, QuTS hero, and QuTScloud. Successful exploitation of the security error could allow an attacker to inject malicious code, QNAP says.

The issue was addressed with the release of QTS 4.5.4.1787 build 20210910, QuTS hero h4.5.4.1771 build 20210825, and QuTScloud c4.5.7.1864.

QNAP has also addressed a vulnerability affecting QNAP NAS running QVPN Service 3.x that can be exploited to achieve arbitrary code execution on the system. The bug was addressed with the release of QVPN Service 3.0.760.