{"vuid":"VU#444472","idnumber":"444472","name":"QNAP Signage Station and iArtist Lite contain multiple vulnerabilities","keywords":["CWE-434","upload","zip","php"],"overview":"The QNAP Signage Station prior to version 2.0.1 and the accompanying iArtist Lite application contain multiple vulnerabilities.","clean_desc":"CWE-434: Unrestricted Upload of File with Dangerous Type -  CVE-2015-6022 An authenticated attacker without administrative permissions may upload a malicious file, such as a PHP script, to the QNAP Signage Station server. The attacker is then able to access the uploaded file via a predictable URL and execute the script. The script is executed on the server with administrator permissions. CWE-290: Authentication Bypass by Spoofing - CVE-2015-6036 An unauthenticated attacker may spoof an HTTP request to the QNAP Signage Station in such a manner as to bypass authentication, allowing the attacker to perform actions such as upload files. CWE-798: Use of Hard-coded Credentials - CVE-2015-7261\nCWE-523: Unprotected Transport of Credentials QNAP iArtist Lite contains a hard-coded FTP account and password, and uses these credentials to communicate with Signage Station. FTP transmits all data in plain text and is not secure from attackers eavesdropping on the network. CWE-427: Uncontrolled Search Path Element - CVE-2015-7262 QNAP iArtist Lite allows a user to register a binary with the iArtist service, which will be executed with SYSTEM privileges upon next system restart.","impact":"An unauthenticated user may be able to execute commands on the server with system privileges.","resolution":"Apply an update QNAP has released Signage Station 2.0.1 and iArtist Lite 1.4.54 to address this issue. Affected users are encouraged to update as soon as possible.","workarounds":"","sysaffected":"","thanks":"Thanks to  Mark Woods for reporting these vulnerabilities.","author":"This document was written by Garret Wassermann.","public":["http://cwe.mitre.org/data/definitions/290.html","http://cwe.mitre.org/data/definitions/434.html","http://cwe.mitre.org/data/definitions/798.html","http://cwe.mitre.org/data/definitions/427.html"],"cveids":["CVE-2015-6022","CVE-2015-6036","CVE-2015-7261","CVE-2015-7262"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2015-09-11T12:49:56Z","publicdate":"2016-02-25T00:00:00Z","datefirstpublished":"2016-02-25T18:16:33Z","dateupdated":"2016-02-25T18:16:34Z","revision":61,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9","cvss_basevector":"AV:N/AC:L/Au:S/C:C/I:C/A:C","cvss_temporalscore":"7.4","cvss_environmentalscore":"5.5990958184","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}