Vulnerabilities (CVE)

Filtered by vendor Synology Subscribe
Total 282 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-27621 1 Synology 2 Diskstation Manager, Usb Copy 2025-01-14 N/A 5.5 MEDIUM
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology USB Copy before 2.2.0-1086 allows remote authenticated users to read or write arbitrary files via unspecified vectors.
CVE-2017-9553 1 Synology 1 Diskstation Manager 2025-01-14 4.3 MEDIUM 7.5 HIGH
A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter.
CVE-2020-27650 1 Synology 3 Diskstation Manager, Skynas, Skynas Firmware 2025-01-14 4.3 MEDIUM 5.8 MEDIUM
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
CVE-2021-29087 1 Synology 2 Diskstation Manager, Diskstation Manager Unified Controller 2025-01-14 5.0 MEDIUM 7.5 HIGH
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
CVE-2024-29238 1 Synology 2 Diskstation Manager, Surveillance Station 2025-01-14 N/A 5.4 MEDIUM
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors.
CVE-2018-8919 1 Synology 1 Diskstation Manager 2025-01-14 5.0 MEDIUM 8.3 HIGH
Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors.
CVE-2022-22687 1 Synology 2 Diskstation Manager, Diskstation Manager Unified Controller 2025-01-14 7.5 HIGH 9.8 CRITICAL
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-27649 1 Synology 2 Diskstation Manager, Diskstation Manager Unified Controller 2025-01-14 7.5 HIGH 9.8 CRITICAL
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2021-26560 1 Synology 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more 2025-01-14 5.8 MEDIUM 9.0 CRITICAL
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
CVE-2019-9517 12 Apache, Apple, Canonical and 9 more 25 Http Server, Traffic Server, Mac Os X and 22 more 2025-01-14 7.8 HIGH 7.5 HIGH
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2021-26561 1 Synology 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more 2025-01-14 6.8 MEDIUM 9.0 CRITICAL
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
CVE-2021-26563 1 Synology 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more 2025-01-14 4.6 MEDIUM 8.2 HIGH
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
CVE-2023-0142 1 Synology 3 Diskstation Manager, Diskstation Manager Unified Controller, Router Manager 2025-01-14 N/A 6.5 MEDIUM
Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.
CVE-2022-27626 1 Synology 4 Diskstation Manager, Ds3622xs\+, Fs3410 and 1 more 2025-01-14 N/A 10.0 CRITICAL
A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.
CVE-2018-13284 1 Synology 1 Diskstation Manager 2025-01-14 9.0 HIGH 7.5 HIGH
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
CVE-2015-2809 1 Synology 1 Diskstation Manager 2025-01-14 5.0 MEDIUM N/A
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component.
CVE-2019-9515 12 Apache, Apple, Canonical and 9 more 24 Traffic Server, Mac Os X, Swiftnio and 21 more 2025-01-14 7.8 HIGH 7.5 HIGH
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2019-19344 4 Canonical, Opensuse, Samba and 1 more 7 Ubuntu Linux, Leap, Samba and 4 more 2025-01-14 4.0 MEDIUM 6.5 MEDIUM
There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while other local variables still point at the original buffer.
CVE-2017-16766 1 Synology 1 Diskstation Manager 2025-01-14 6.4 MEDIUM 6.5 MEDIUM
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
CVE-2022-3576 1 Synology 4 Diskstation Manager, Ds3622xs\+, Fs3410 and 1 more 2025-01-14 N/A 5.3 MEDIUM
A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.