CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-2501 – Stack Buffer Overflow in Surveillance Station
https://notcve.org/view.php?id=CVE-2020-2501
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS) Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS) Se ha reportado una vulnerabilidad de desbordamiento del búfer en la región stack de la memoria que afecta a los dispositivos NAS de QNAP que ejecutan Surveillance Station. Si es explotada, esta vulnerabilidad permite a atacantes ejecutar código arbitrario. QNAP ya ha corregido esta vulnerabilidad en las siguientes versiones: Surveillance Station versiones 5.1.5.4.3 (y posterior) para ARM CPU NAS (SO de 64 bits) y x86 CPU NAS (SO de 64 bits) Surveillance Station versiones 5.1.5.3.3 (y posterior) para ARM CPU NAS (sistema operativo de 32 bits) y CPU NAS x86 (sistema operativo de 32 bits) • https://www.qnap.com/en/security-advisory/qsa-21-07 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2506 – QNAP Helpdesk Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2020-2506
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3. La vulnerabilidad ha sido reportada para afectar a versiones anteriores de QTS. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-08 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2507 – command injection vulnerability in Helpdesk
https://notcve.org/view.php?id=CVE-2020-2507
The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3. La vulnerabilidad ha sido reportada para afectar a versiones anteriores de QTS. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-08 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2020-2508 – Command Injection Vulnerability in QTS and QuTS hero
https://notcve.org/view.php?id=CVE-2020-2508
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later) Se ha reportado una vulnerabilidad de inyección de comandos afecta a QTS y QuTS hero. Si se explota, esta vulnerabilidad permite a atacantes ejecutar comandos arbitrarios en una aplicación comprometida. QNAP ya ha corregido esta vulnerabilidad en las siguientes versiones: QTS 4.5.1.1456 build 20201015 (y posterior) QuTS hero h4.5.1.1472 build 20201031 (y posterior) • https://www.qnap.com/zh-tw/security-advisory/qsa-21-01 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-19945 – Improper Limitation of a Pathname to a Restricted Directory in QTS
https://notcve.org/view.php?id=CVE-2018-19945
A vulnerability has been reported to affect earlier QNAP devices running QTS 4.3.4 to 4.3.6. Caused by improper limitations of a pathname to a restricted directory, this vulnerability allows for renaming arbitrary files on the target system, if exploited. QNAP have already fixed this vulnerability in the following versions: QTS 4.3.6.0895 build 20190328 (and later) QTS 4.3.4.0899 build 20190322 (and later) This issue does not affect QTS 4.4.x or QTS 4.5.x. Se ha reportado de una vulnerabilidad que afecta a los dispositivos QNAP anteriores que ejecutan QTS versión 4.3.4 a la 4.3.6. Causada por limitaciones inapropiadas de un nombre de ruta en un directorio restringido, esta vulnerabilidad permite cambiar el nombre de archivos arbitrarios en el sistema de destino, si se explota. • https://www.qnap.com/zh-tw/security-advisory/qsa-20-21 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path CWE-284: Improper Access Control •