Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Synology Subscribe
Total 240 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-29086 1 Synology 2 Diskstation Manager, Diskstation Manager Unified Controller 2021-06-29 5.0 MEDIUM 7.5 HIGH
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34812 1 Synology 1 Calendar 2021-06-23 5.0 MEDIUM 7.5 HIGH
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34810 1 Synology 1 Download Station 2021-06-23 6.5 MEDIUM 8.8 HIGH
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34809 1 Synology 1 Download Station 2021-06-23 6.5 MEDIUM 8.8 HIGH
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34808 1 Synology 1 Media Server 2021-06-23 5.0 MEDIUM 5.3 MEDIUM
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34811 1 Synology 1 Download Station 2021-06-23 4.0 MEDIUM 4.3 MEDIUM
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.
CVE-2021-29089 1 Synology 1 Photo Station 2021-06-10 10.0 HIGH 9.8 CRITICAL
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.
CVE-2021-29090 1 Synology 1 Photo Station 2021-06-10 9.0 HIGH 7.2 HIGH
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.
CVE-2021-29091 1 Synology 1 Photo Station 2021-06-10 4.0 MEDIUM 6.5 MEDIUM
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors.
CVE-2021-33181 1 Synology 1 Video Station 2021-06-10 6.5 MEDIUM 9.1 CRITICAL
Server-Side Request Forgery (SSRF) vulnerability in webapi component in Synology Video Station before 2.4.10-1632 allows remote authenticated users to send arbitrary request to intranet resources via unspecified vectors.
CVE-2021-33183 1 Synology 1 Docker 2021-06-10 3.6 LOW 7.9 HIGH
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability container volume management component in Synology Docker before 18.09.0-0515 allows local users to read or write arbitrary files via unspecified vectors.
CVE-2021-33184 1 Synology 1 Download Station 2021-06-10 4.0 MEDIUM 7.7 HIGH
Server-Side request forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.15-3563 allows remote authenticated users to read arbitrary files via unspecified vectors.
CVE-2021-33182 1 Synology 1 Diskstation Manager 2021-06-09 4.0 MEDIUM 4.3 MEDIUM
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
CVE-2021-29092 1 Synology 1 Photo Station 2021-06-09 6.5 MEDIUM 8.8 HIGH
Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-29088 1 Synology 1 Diskstation Manager 2021-06-09 4.6 MEDIUM 7.8 HIGH
Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
CVE-2021-33180 1 Synology 1 Media Server 2021-06-08 7.5 HIGH 9.8 CRITICAL
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2019-14907 5 Canonical, Fedoraproject, Redhat and 2 more 9 Ubuntu Linux, Fedora, Enterprise Linux and 6 more 2021-05-29 2.6 LOW 6.5 MEDIUM
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
CVE-2021-31439 1 Synology 1 Diskstation Manager 2021-05-27 5.8 MEDIUM 8.8 HIGH
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
CVE-2021-27648 1 Synology 1 Antivirus Essential 2021-05-12 6.5 MEDIUM 8.8 HIGH
Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors.
CVE-2018-8920 1 Synology 1 Diskstation Manager 2021-05-12 6.5 MEDIUM 7.2 HIGH
Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format.