=====================================================================

                                 CERT-Renater

                       Note d'Information No. 2023/VULN457

_____________________________________________________________________

DATE                : 06/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Music Station versions 5.3.x,
                      5.1.x, 4.8.x prior to 5.3.23, 5.1.16, 4.8.11.

=====================================================================
https://www.qnap.com/en/security-advisory/qsa-23-61
_____________________________________________________________________


Security ID : QSA-23-61
Vulnerability in Music Station

     Release date : November 4, 2023

     CVE identifier : CVE-2023-39299

     Affected products: Music Station 5.3.x, 5.1.x, 4.8.x


Severity
Medium

Status
Resolved


Summary

A path traversal vulnerability has been reported to affect several
versions of Music Station. If exploited, the vulnerability could allow
users to read the contents of unexpected files and expose sensitive
data via a network.

We have already fixed the vulnerability in the following affected
versions:

   Affected Product        Fixed Version
Music Station 5.3.x     Music Station 5.3.23 and later
Music Station 5.1.x     Music Station 5.1.16 and later
Music Station 4.8.x     Music Station 4.8.11 and later


Recommendation

To fix the vulnerability, we recommend updating Music Station to the
latest version.


Updating Music Station

     Log on to your QNAP operating system as an administrator.
     Open App Center and then click .
     A search box appears.
     Type "Music Station" and then press ENTER.
     Music Station appears in the search results.
     Click Update.
     A confirmation message appears.
     Note: The Update button is not available if your Music Station
is already up to date.
     Click OK.
     The application is updated.


Attachment

     CVE-2023-39299.json


Acknowledgements: fredoun


Revision History:
V1.0 (November 4, 2023) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================