Vulnerability Note VU#444472
QNAP Signage Station and iArtist Lite contain multiple vulnerabilities
The QNAP Signage Station prior to version 2.0.1 and the accompanying iArtist Lite application contain multiple vulnerabilities.
CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2015-6022
An authenticated attacker without administrative permissions may upload a malicious file, such as a PHP script, to the QNAP Signage Station server. The attacker is then able to access the uploaded file via a predictable URL and execute the script. The script is executed on the server with administrator permissions.
An unauthenticated user may be able to execute commands on the server with system privileges.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|QNAP||Affected||23 Sep 2015||16 Oct 2015|
CVSS Metrics (Learn More)
Thanks to Mark Woods for reporting these vulnerabilities.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-6022 CVE-2015-6036 CVE-2015-7261 CVE-2015-7262
- Date Public: 25 Feb 2016
- Date First Published: 25 Feb 2016
- Date Last Updated: 25 Feb 2016
- Document Revision: 60
If you have feedback, comments, or additional information about this vulnerability, please send us email.