Filtered by vendor Synology
Subscribe
Total
240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-6909 | 1 Synology | 1 Download Station | 2018-10-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file. | |||||
| CVE-2016-10323 | 1 Synology | 1 Photo Station | 2018-06-13 | 7.2 HIGH | 7.8 HIGH |
| Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. | |||||
| CVE-2017-9554 | 1 Synology | 1 Diskstation Manager | 2018-01-11 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. | |||||
| CVE-2017-16768 | 1 Synology | 1 Mailplus Server | 2018-01-10 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter. | |||||
| CVE-2017-11157 | 2 Microsoft, Synology | 2 Windows, Cloud Station Backup | 2017-09-05 | 4.6 MEDIUM | 7.8 HIGH |
| Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Backup before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. | |||||
| CVE-2017-12077 | 1 Synology | 1 Router Manager | 2017-08-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. | |||||
| CVE-2017-12076 | 1 Synology | 1 Diskstation Manager | 2017-08-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. | |||||
| CVE-2017-11160 | 1 Synology | 1 Assistant | 2017-08-29 | 4.6 MEDIUM | 7.8 HIGH |
| Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. | |||||
| CVE-2013-6987 | 1 Synology | 1 Diskstation Manager | 2017-08-28 | 7.5 HIGH | N/A |
| Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/. | |||||
| CVE-2012-1556 | 1 Synology | 2 Diskstation Manager, Synology Photo Station | 2017-08-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. | |||||
| CVE-2016-10322 | 1 Synology | 1 Photo Station | 2017-04-17 | 6.5 MEDIUM | 8.8 HIGH |
| Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. | |||||
| CVE-2015-2851 | 2 Apple, Synology | 2 Mac Os X, Cloud Station | 2016-12-02 | 6.8 MEDIUM | N/A |
| client_chown in the sync client in Synology Cloud Station 1.1-2291 through 3.1-3320 on OS X allows local users to change the ownership of arbitrary files, and consequently obtain root access, by specifying a filename. | |||||
| CVE-2015-4656 | 1 Synology | 1 Photo Station | 2016-11-28 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. | |||||
| CVE-2015-4655 | 1 Synology | 1 Diskstation Manager | 2016-11-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. | |||||
| CVE-2015-2809 | 1 Synology | 1 Diskstation Manager | 2016-07-29 | 5.0 MEDIUM | N/A |
| The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. | |||||
| CVE-2014-6836 | 1 Synology | 1 Ds Photo\+ | 2014-11-14 | 5.4 MEDIUM | N/A |
| The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-6848 | 1 Synology | 1 Ds File | 2014-11-14 | 5.4 MEDIUM | N/A |
| The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-6868 | 1 Synology | 1 Ds Audio | 2014-11-14 | 5.4 MEDIUM | N/A |
| The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-2264 | 1 Synology | 1 Diskstation Manager | 2014-03-03 | 7.8 HIGH | N/A |
| The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. | |||||
| CVE-2013-6955 | 1 Synology | 1 Diskstation Manager | 2014-01-10 | 10.0 HIGH | N/A |
| webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. | |||||