Vulnerability Details CVE-2020-36198
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP Systems Inc. Malware Remover 3.x.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 75.5%
CVSS Severity
CVSS v3 Score 6.7
CVSS v2 Score 7.2
References
- http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html
- https://www.qnap.com/zh-tw/security-advisory/qsa-21-16
- https://www.zerodayinitiative.com/advisories/ZDI-21-592/
- http://packetstormsecurity.com/files/162849/QNAP-MusicStation-MalwareRemover-File-Upload-Command-Injection.html
- https://www.qnap.com/zh-tw/security-advisory/qsa-21-16
- https://www.zerodayinitiative.com/advisories/ZDI-21-592/
Products affected by CVE-2020-36198
-
cpe:2.3:a:qnap:malware_remover:4.5.4.0
-
cpe:2.3:a:qnap:malware_remover:4.5.4.1
-
cpe:2.3:a:qnap:malware_remover:4.5.4.2
-
cpe:2.3:a:qnap:malware_remover:4.5.5.1
-
cpe:2.3:a:qnap:malware_remover:4.6.0.0
-
cpe:2.3:a:qnap:malware_remover:4.6.0.1
-
cpe:2.3:a:qnap:malware_remover:4.6.0.2