A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 (and later) QuTS hero h4.5.1.1472 build 20201031 (and later)
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2508
Reference (s):
- https://www.qnap.com/zh-tw/security-advisory/qsa-21-01
- URL: https://www.qnap.com/zh-tw/security-advisory/qsa-21-01