Taiwan based NAS maker QNAP has released security patches for multiple vulnerabilities that could allow attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.

Three of the security flaws fixed today by QNAP are high severity stored cross-site scripting (XSS) vulnerabilities (tracked as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) affect devices running unpatched Photo Station software (releases before 5.4.10, 5.7.13, or 6.0.18).

QNAP also patched a stored XSS Image2PDF flaw impacting devices running software versions released before Image2PDF 2.1.5. Stored XSS attacks allow threat actors to inject malicious code remotely, permanently storing it on the targeted servers following successful exploitation.

The company also addressed a command injection bug CVE-2021-34352 affecting some QNAP EOL devices running the QVR IP video surveillance software that helps attackers run arbitrary commands. Successful attacks exploitation flaw could lead to the complete takeover of compromised NAS devices.