Mark Woods

**Name of the Vulnerable Software and Affected Versions** QNAP Signage Station versions prior to 2.0.1 QNAP iArtist Lite versions prior to 1.4.54 **Description** The issue exists due to hardcoded registration data in the FTP service of the affected software. This allows a remote attacker to gain access to protected information through a session on TCP port 21. **Recommendations** For QNAP Signage Station versions prior to 2.0.1, update to version 2.0.1 or later. For QNAP iArtist Lite versions prior to 1.4.54, update to version 1.4.54 or later.

**Name of the Vulnerable Software and Affected Versions** QNAP Signage Station versions prior to 2.0.1 **Description** The issue allows remote authenticated users to execute arbitrary code by uploading an executable file and then accessing it via an unspecified URL. This is due to an unrestricted file upload vulnerability. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider restricting file upload capabilities to prevent the execution of arbitrary code.

**Name of the Vulnerable Software and Affected Versions** QNAP Signage Station versions prior to 2.0.1 **Description** The issue allows remote attackers to bypass authentication and upload files via a spoofed HTTP request. **Recommendations** For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QNAP iArtist Lite versions prior to 1.4.54 QNAP Signage Station versions prior to 2.0.1 **Description** The issue allows remote authenticated users to gain privileges by registering an executable file and waiting for it to be run in a privileged context after a reboot. **Recommendations** For QNAP iArtist Lite versions prior to 1.4.54, update to version 1.4.54 or later. For QNAP Signage Station versions prior to 2.0.1, update to version 2.0.1 or later.