Filtered by vendor Synology
Subscribe
Total
297 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-16766 | 1 Synology | 1 Diskstation Manager | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option. | |||||
CVE-2015-9104 | 1 Synology | 1 Audio Station | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title. | |||||
CVE-2017-14491 | 13 Arista, Arubanetworks, Canonical and 10 more | 29 Eos, Arubaos, Ubuntu Linux and 26 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. | |||||
CVE-2017-11154 | 1 Synology | 1 Photo Station | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter. | |||||
CVE-2017-9552 | 1 Synology | 1 Photo Station | 2025-04-20 | 2.1 LOW | 7.8 HIGH |
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline". | |||||
CVE-2016-10330 | 1 Synology | 1 Photo Station | 2025-04-20 | 4.6 MEDIUM | 7.1 HIGH |
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors. | |||||
CVE-2017-12076 | 1 Synology | 1 Diskstation Manager | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. | |||||
CVE-2017-12072 | 1 Synology | 1 Photo Station | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter. | |||||
CVE-2017-11157 | 2 Microsoft, Synology | 2 Windows, Cloud Station Backup | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Backup before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. | |||||
CVE-2017-11156 | 1 Synology | 1 Download Station | 2025-04-20 | 6.5 MEDIUM | 7.8 HIGH |
Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors. | |||||
CVE-2017-11148 | 1 Synology | 1 Chat | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
CVE-2017-11153 | 1 Synology | 1 Photo Station | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. | |||||
CVE-2017-11150 | 1 Synology | 1 Office | 2025-04-20 | 6.5 MEDIUM | 7.8 HIGH |
Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents. | |||||
CVE-2017-15889 | 1 Synology | 1 Diskstation Manager | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. | |||||
CVE-2016-10323 | 1 Synology | 1 Photo Station | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. | |||||
CVE-2017-11160 | 1 Synology | 1 Assistant | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. | |||||
CVE-2017-12079 | 1 Synology | 1 Photo Station | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field. | |||||
CVE-2015-9103 | 1 Synology | 1 Note Station | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments. | |||||
CVE-2015-6910 | 1 Synology | 1 Video Station | 2025-04-12 | 7.5 HIGH | N/A |
SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi. | |||||
CVE-2015-6911 | 1 Synology | 1 Video Station | 2025-04-12 | 7.5 HIGH | N/A |
SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. |