Vulnerability Description: Stored XSS via Arbitrary File upload
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2503
CVSv3: 5.4
Severity: Medium
Credits: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli

A vulnerability was found in QNAP QES 2.0 that If exploited, vulnerability could allow remote attackers to inject malicious code in File Station. The vulnerability resides in the upload functionality that doesn’t perform the correct sanitization.