Yoni Ramon

**Name of the Vulnerable Software and Affected Versions** Helpdesk versions prior to 3.0.1 **Description** This issue allows attackers to gain control of the QNAP Kayako service due to improper access control in Helpdesk. Attackers can access sensitive data on the QNAP Kayako server using API keys. **Recommendations** For versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue. As a temporary workaround, consider replacing the API key to mitigate the vulnerability. Restrict access to sensitive data on the QNAP Kayako server until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** QTS versions prior to 4.3.4 with Photo Station versions prior to 5.7.2 QTS version 4.3.3 with Photo Station versions prior to 5.4.4 QTS version 4.2.6 with Photo Station versions prior to 5.2.8 **Description** The issue allows remote attackers to access sensitive information on the device due to a Path Traversal vulnerability in Photo Station. **Recommendations** For QTS versions prior to 4.3.4 with Photo Station versions prior to 5.7.2, update Photo Station to version 5.7.2 or later. For QTS version 4.3.3 with Photo Station versions prior to 5.4.4, update Photo Station to version 5.4.4 or later. For QTS version 4.2.6 with Photo Station versions prior to 5.2.8, update Photo Station to version 5.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Music Station versions 5.1.2 and earlier QTS versions 4.3.3 and 4.3.4 **Description** A command injection issue allows remote attackers to execute arbitrary commands in the compromised application. **Recommendations** For Music Station versions 5.1.2 and earlier, update to a version later than 5.1.2. For QTS versions 4.3.3 and 4.3.4, update to a version later than 4.3.4.

**Name of the Vulnerable Software and Affected Versions** QNAP QTS versions 4.2.6 build 20180531 and earlier QNAP QTS versions 4.3.3 build 20180528 and earlier QNAP QTS versions 4.3.4 build 20180528 and earlier Helpdesk versions 1.1.21 and earlier **Description** A command injection issue could allow remote attackers to run arbitrary commands in the compromised application. **Recommendations** For QNAP QTS versions 4.2.6 build 20180531 and earlier, update to a version later than 4.2.6 build 20180531. For QNAP QTS versions 4.3.3 build 20180528 and earlier, update to a version later than 4.3.3 build 20180528. For QNAP QTS versions 4.3.4 build 20180528 and earlier, update to a version later than 4.3.4 build 20180528. For Helpdesk versions 1.1.21 and earlier, update to a version later than 1.1.21.

**Name of the Vulnerable Software and Affected Versions** Music Station versions 4.8.6 and earlier (for QTS 4.2.x) Music Station versions 5.0.7 and earlier (for QTS 4.3.x) **Description** The issue allows a remote attacker to run arbitrary commands on the NAS if exploited. **Recommendations** For Music Station versions 4.8.6 and earlier (for QTS 4.2.x), update to a version later than 4.8.6. For Music Station versions 5.0.7 and earlier (for QTS 4.3.x), update to a version later than 5.0.7.