high
8.8
CWE
284 22
Advisory Published
Advisory Published
Updated

CVE-2020-36197: QNAP NAS MusicStation Directory Traversal Arbitrary File Creation Vulnerability

First published: Thu May 13 2021(Updated: )

An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.3.16 on QTS 4.5.2; versions prior to 5.2.10 on QTS 4.3.6; versions prior to 5.1.14 on QTS 4.3.3; versions prior to 5.3.16 on QuTS hero h4.5.2; versions prior to 5.3.16 on QuTScloud c4.5.4.

Credit: security@qnapsecurity.com.tw

Affected SoftwareAffected VersionHow to fix
Qnap Music Station<5.3.16
QNAP QTS=4.5.2
Qnap Music Station<5.2.10
QNAP QTS=4.3.6
Qnap Music Station<5.1.14
QNAP QTS=4.3.3
QNAP QuTS hero=h4.5.2
QNAP QuTScloud=c4.5.4
QNAP NAS

Remedy

http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html

Remedy

QNAP have already fixed this vulnerability in the following versions: QTS 4.5.2: Music Station 5.3.16 and later QTS 4.3.6: Music Station 5.2.10 and later QTS 4.3.3: Music Station 5.1.14 and later QuTS hero h4.5.2: Music Station 5.3.16 and later QuTScloud c4.5.4: Music Station 5.3.16 and later

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2020-36197?

    CVE-2020-36197 is an improper access control vulnerability in earlier versions of Music Station.

  • What is the severity of CVE-2020-36197?

    CVE-2020-36197 has a severity rating of 8.8 (high).

  • How does CVE-2020-36197 affect Qnap Music Station?

    CVE-2020-36197 affects Qnap Music Station versions up to 5.3.16, allowing attackers to compromise its security.

  • How can CVE-2020-36197 be exploited?

    CVE-2020-36197 can be exploited to gain privileges, read sensitive information, execute commands, and evade detection.

  • Where can I find more information about CVE-2020-36197?

    You can find more information about CVE-2020-36197 at the following references: [Reference 1](http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html), [Reference 2](https://www.qnap.com/zh-tw/security-advisory/qsa-21-08), [Reference 3](https://www.zerodayinitiative.com/advisories/ZDI-21-591/).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203