Sunday, May 30, 2021

QNAP MusicStation / MalwareRemover File Upload / Command Injection

QNAP MusicStation (5M+ installs) and MalwareRemover (pre-installed and
"non-removable") official apps are affected by an arbitrary file upload
and a command injection vulnerabilities, leading to pre-auth remote
command execution with root privileges on the NAS.

QNAP has already released updates with patches in April.

The technical details are available at

Research team director @ Shielder Srl
[email protected]


Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated