Original Issue Date: October 07, 2021
Severity Rating: HIGH
Software Affected
QVR 5.1.5 build 20210902 and later
Overview
It has been reported that a command injection vulnerability affects certain QNAP EOL devices running QVR which could allow a remote attacker to run arbitrary commands on the targeted system and compromise the vulnerable system.
Description
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary commands on the target system and may result in complete compromise of the vulnerable system.
Solution
Apply appropriate patch as mentioned in QNAPs advisory: