QNAP Signage Station prior to 2.0.1 allows remote malicious users to bypass authentication, and consequently upload files, via a spoofed HTTP request.
qnap sinage station 2.0.0