Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN780
_____________________________________________________________________

DATE                : 10/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Video Station versions prior to
                    5.10.0.305 (2025/09/16), 5.10.0.304 (2025/09/08).

=====================================================================
https://www.qnap.com/en/security-advisory/qsa-25-37
_____________________________________________________________________

Security ID : QSA-25-37
Multiple Vulnerabilities in Download Station

    Release date : November 8, 2025

    CVE identifier : CVE-2025-58463 | CVE-2025-58465

    Affected products: Download Station 5.10.x

Severity
Important

Status
Resolved


Summary

Multiple vulnerabilities have been reported to affect Download
Station:

    CVE-2025-58463: Relative path traversal vulnerability
    If a remote attacker gains access to an administrator account,
they can then exploit the vulnerability to read the contents of
unexpected files or system data.
    CVE-2025-58465: Cross-site scripting (XSS) vulnerability
    If a remote attacker gains acces to a user account, they can
then exploit the vulnerability to bypass security mechanisms or
read application data.


We have already fixed the vulnerabilities in the following
versions:

Affected Product 	Fixed Version
Download Station 5.10.x (for QTS 5.2.1) 	Download Station 5.10.0.305 (2025/09/16) and later
Download Station 5.10.x (for QuTS hero h5.2.1) 	Download Station 5.10.0.304 (2025/09/08) and later


Recommendation

To fix the vulnerabilities, we recommend updating Download
Station to the latest version.


Updating Download Station

    Log on to QTS or QuTS hero as an administrator.
    Open App Center and then click .
    A search box appears.
    Type "Download Station" and then press ENTER.
    Download Station appears in the search results.
    Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your Download Station is
already up to date.
    Click OK.
    The system updates the application.
 

Attachment

    CVE-2025-58463.json
    CVE-2025-58465.json


Acknowledgements: Tim Coen


Revision History:
V1.0 (November 8, 2025) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================