CVE-2020-36198

Description

A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP Systems Inc. Malware Remover 3.x.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

QNAP Systems Inc. / Malware Removerunspecified – 4.6.1.0
QNAP Systems Inc. / Malware Remover3.x – 3.x

References

MISChttps://www.qnap.com/zh-tw/security-advisory/qsa-21-16
VENDOR_ADVISORYhttps://www.zerodayinitiative.com/advisories/ZDI-21-592/
EXPLOIThttp://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html