Vulnerability Description: Arbitrary File Download
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2504
CVSv3: 7.5
Severity: High
Credits: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli
A vulnerability was found in QNAP QES 2.0 that allows authenticated attacker to escape the webroot and download file of the NAS. The vulnerability resides in the download functionality.