QNAP MusicStation / MalwareRemover File Upload / Command Injection

CVE Category Price Severity
CVE-2020-36195 CWE-78 $5,000 High
Author Risk Exploitation Type Date
David Sopas High Remote 2021-05-28
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

QNAP MusicStation / MalwareRemover File Upload / Command Injection
QNAP MusicStation (5M+ installs) and MalwareRemover (pre-installed and
"non-removable") official apps are affected by an arbitrary file upload
and a command injection vulnerabilities, leading to pre-auth remote
command execution with root privileges on the NAS.

QNAP has already released updates with patches in April.

The technical details are available at

Research team director @ Shielder Srl
[email protected]

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum