This vulnerability allows remote malicious users to create arbitrary configurations on affected installations of QNAP TS-464 NAS devices. An attacker must first obtain the ability to access the device's localhost interface, which can be accomplished using a malicious TURN server. The specific flaw exists within the legacy_cgi endpoints. The issue results from the lack of proper validation of a user-supplied string before using it to update configurations. An attacker can leverage this in conjunction with other vulnerabilities to create arbitrary configurations on the system.
Vulmon