PT-2020-5350 · Qnap · Qes

Published

2020-12-23

Updated

2020-12-28

CVE-2020-2504

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions QNAP QES versions prior to 2.1.1 Build 20201006

Description This issue is related to an absolute path traversal vulnerability that could allow attackers to traverse files in File Station. The vulnerability is also associated with inadequate access control in the QES operating system, which could enable a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 2.1.1 Build 20201006, update to QES 2.1.1 Build 20201006 or later to resolve the issue. As a temporary workaround, consider restricting access to the File Station to minimize the risk of exploitation.

Fix

Improper Access Control

Path traversal

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-284CWE-22CWE-20

Related Identifiers

BDU:2021-00191

CVE-2020-2504

Affected Products

Qes

PT-2020-5350 · Qnap · Qes

CVE-2020-2504

Weakness Enumeration

Related Identifiers

Affected Products

References · 9