cbcvebase.
CVE-2020-36197
published 2021-05-13

CVE-2020-36197: An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to…

PriorityP262high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
18.50%
96.9th percentile
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This issue affects: QNAP Systems Inc. Music Station versions prior to 5.3.16 on QTS 4.5.2; versions prior to 5.2.10 on QTS 4.3.6; versions prior to 5.1.14 on QTS 4.3.3; versions prior to 5.3.16 on QuTS hero h4.5.2; versions prior to 5.3.16 on QuTScloud c4.5.4.

Affected

6 ranges
VendorProductVersion rangeFixed in
qnapmusic_station< 5.3.165.3.16
qnapmusic_station< 5.2.105.2.10
qnapmusic_station< 5.1.145.1.14
qnap_systems_incmusic_station>= unspecified < 5.3.165.3.16
qnap_systems_incmusic_station>= unspecified < 5.2.105.2.10
qnap_systems_incmusic_station>= unspecified < 5.1.145.1.14

Detection & IOCsextracted from sources · hover to see the quote

url/musicstation/api/upload.php?arttype=../../
path/musicstation/api/upload.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP MusicStation Pre-Auth RCE Inbound (CVE-2020-36197)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/musicstation/api/upload.php?arttype=../../"; fast_pattern; reference:url,www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/; reference:cve,2020-36197; classtype:attempted-admin; sid:2033013; rev:2; metadata:created_at 2021_05_24, cve CVE_2020_36197, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_05_24;)
  • Attack uses HTTP POST method to the vulnerable upload endpoint with a path traversal payload in the 'arttype' parameter (../../), enabling pre-authentication RCE. Detect by matching POST requests to /musicstation/api/upload.php with arttype=../../ in the URI.
  • The exploit is inbound to HTTP servers / HOME_NET, indicating the attacker is an external party targeting QNAP devices exposed to the network. Scope detection to inbound HTTP traffic on standard web ports.
  • ·Vulnerable versions span multiple QNAP OS branches; ensure version checks cover all affected platforms (QTS 4.5.2, QTS 4.3.6, QTS 4.3.3, QuTS hero h4.5.2, QuTScloud c4.5.4) when scoping detection or patching.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.8MEDIUMAV:A/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.