CVE-2024-29238

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*
OR cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*

History

01 Aug 2025, 05:15

Type Values Removed Values Added
Summary (en) Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. (en) Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.

14 Jan 2025, 19:29

Type Values Removed Values Added
CPE cpe:2.3:a:synology:diskstation_manager:7.2:*:*:*:*:*:*:*
cpe:2.3:a:synology:diskstation_manager:7.1:*:*:*:*:*:*:*
cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*

14 Jan 2025, 18:25

Type Values Removed Values Added
CPE cpe:2.3:a:synology:diskstation_manager:7.1:*:*:*:*:*:*:*
cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*
cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
cpe:2.3:a:synology:diskstation_manager:7.2:*:*:*:*:*:*:*
First Time Synology
Synology diskstation Manager
Synology surveillance Station
References () https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 - () https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 - Vendor Advisory

21 Nov 2024, 09:07

Type Values Removed Values Added
References () https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 - () https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 -
Summary
  • (es) La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente webapi Log.CountByCategory en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios remotos autenticados inyectar comandos SQL a través de vectores no especificados .

28 Mar 2024, 07:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-03-28 07:16

Updated : 2025-08-01 05:15


NVD link : CVE-2024-29238

Mitre link : CVE-2024-29238

CVE.ORG link : CVE-2024-29238


JSON object : View

Products Affected

synology

  • diskstation_manager
  • surveillance_station
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')