A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network.
We have already fixed the vulnerability in the following version:
myQNAPcloud Link 2.4.51 and later
Se ha informado que falta una autenticación para una vulnerabilidad de función crítica que afecta a myQNAPcloud Link. Si se explota, la vulnerabilidad podría permitir a los usuarios con el nivel de privilegio de alguna funcionalidad a través de una red. Ya hemos solucionado la vulnerabilidad en la siguiente versión: myQNAPcloud Link 2.4.51 y posteriores
This vulnerability allows remote attackers to execute arbitrary code on affected installations of QNAP TS-464 NAS devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the create_session action. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
