The first vulnerably allows an unauthenticated attacker to leak video filename and id. The second vulnerability allows an authenticated user without access to the VideoStation application to bypass application privileges checking
This vulnerability allows a simple user to enable SSH access to the NAS and get the password of the _qnap_support account. This account is sudoers on the device.
Multiple vulnerabilities allow remote attackers to hijack the authentication of administrators or to conduct privilege escalation attacks via a susceptible version of Photo Station.