Home server operating system: Updates fix security vulnerabilities in Unraid

Current versions of the Unraid home server operating system fix various security vulnerabilities, some of which are critical. The Unraid team announced this to its customers in a newsletter. Updates are available and admins should install them quickly.

The most serious of the four vulnerabilities is a textbook example of cross-site scripting (XSS): attackers can inject Unraid admins with JavaScript code via a URL parameter in the web-based file browser. However, they must trick their victim into clicking on a crafted link while logged into the Unraid web interface. An XSS is also hidden in a parameter of Unraid's device settings.

In the places:

• A cross-site request forgery (CSRF) that leads to session theft and possibly code injection,
• A stored XSS in various database fields – code execution is also possible here.
• A weakness in the Unraid community App Store that could have allowed attackers to inject malicious application templates after a hostile takeover of a GitHub repository.

Install updates for Unraid 6 or upgrade to 7

All security vulnerabilities have been fixed in the latest major version 7.0.0 released at the beginning of January and in a bugfix release for the previous version. The update has the version number 6.12.15 and also fixes security vulnerabilities in the supplied git and rsync binaries.

Admins who maintain an Unraid server at home or in the company should install the updates quickly.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.

YouTube-Video immer laden YouTube-Video jetzt laden

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(cku)