Total
110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-13280 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.3 MEDIUM | 7.4 HIGH |
| Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors. | |||||
| CVE-2017-14491 | 13 Arista, Arubanetworks, Canonical and 10 more | 29 Eos, Arubaos, Ubuntu Linux and 26 more | 2025-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. | |||||
| CVE-2022-22684 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A | 7.2 HIGH |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2020-27653 | 1 Synology | 2 Diskstation Manager, Router Manager | 2025-01-14 | 5.1 MEDIUM | 8.3 HIGH |
| Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. | |||||
| CVE-2022-27618 | 1 Synology | 2 Diskstation Manager, Storage Analyzer | 2025-01-14 | N/A | 6.8 MEDIUM |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology Storage Analyzer before 2.1.0-0390 allows remote authenticated users to delete arbitrary files via unspecified vectors. | |||||
| CVE-2018-13291 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.0 MEDIUM | 4.3 MEDIUM |
| Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration. | |||||
| CVE-2019-9511 | 12 Apache, Apple, Canonical and 9 more | 22 Traffic Server, Mac Os X, Swiftnio and 19 more | 2025-01-14 | 7.8 HIGH | 7.5 HIGH |
| Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | |||||
| CVE-2017-12076 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.0 MEDIUM | 4.9 MEDIUM |
| Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. | |||||
| CVE-2021-31439 | 3 Debian, Netatalk, Synology | 3 Debian Linux, Netatalk, Diskstation Manager | 2025-01-14 | 5.8 MEDIUM | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326. | |||||
| CVE-2017-12075 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter. | |||||
| CVE-2021-26564 | 1 Synology | 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more | 2025-01-14 | 5.8 MEDIUM | 8.3 HIGH |
| Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. | |||||
| CVE-2021-26569 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.8 MEDIUM | 9.8 CRITICAL |
| Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. | |||||
| CVE-2018-7170 | 4 Hpe, Netapp, Ntp and 1 more | 10 Hpux-ntp, Hci, Solidfire and 7 more | 2025-01-14 | 3.5 LOW | 5.3 MEDIUM |
| ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. | |||||
| CVE-2020-27656 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||||
| CVE-2020-27648 | 1 Synology | 3 Diskstation Manager, Skynas, Skynas Firmware | 2025-01-14 | 6.8 MEDIUM | 8.3 HIGH |
| Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2021-43929 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2021-43926 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 7.5 HIGH | 4.7 MEDIUM |
| Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. | |||||
| CVE-2017-15889 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 MEDIUM | 8.8 HIGH |
| Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. | |||||
| CVE-2018-8916 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.0 MEDIUM | 6.3 MEDIUM |
| Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. | |||||
| CVE-2019-14907 | 6 Canonical, Debian, Fedoraproject and 3 more | 10 Ubuntu Linux, Debian Linux, Fedora and 7 more | 2025-01-14 | 2.6 LOW | 6.5 MEDIUM |
| All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless). | |||||