CVE-2020-36197

Improper Access Control Vulnerability in Music Station

CVSS 7.1 HIGHEPSS 18.5%CWE-284

In short

Music Station has an access control flaw that allows attackers to bypass security restrictions and gain unauthorized privileges, read sensitive data, or execute commands on affected systems.

Technical detail

An improper access control vulnerability (CWE-284) in QNAP Music Station versions prior to specified patches allows unauthenticated or low-privileged attackers to escalate privileges, access sensitive information, and execute arbitrary commands. The vulnerability affects multiple QTS and QuTS platforms, with vector likely being local or network-based depending on deployment context.

Summary generated and translated by AI from the official description.

An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.3.16 on QTS 4.5.2; versions prior to 5.2.10 on QTS 4.3.6; versions prior to 5.1.14 on QTS 4.3.3; versions prior to 5.3.16 on QuTS hero h4.5.2; versions prior to 5.3.16 on QuTScloud c4.5.4.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Affected products

QNAP Systems Inc. · Music Station

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html https://www.qnap.com/zh-tw/security-advisory/qsa-21-08 https://www.zerodayinitiative.com/advisories/ZDI-21-591/