Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

  1. Reconshell
  2. Vulnerabilities (CVE)
Filtered by vendor Synology Subscribe
Total 240 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-13282 1 Synology 1 Photo Station 2019-10-09 6.8 MEDIUM 6.3 MEDIUM
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
CVE-2018-13281 1 Synology 3 Diskstation Manager, Skynas, Vs960hd 2019-10-09 4.0 MEDIUM 4.3 MEDIUM
Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.
CVE-2018-13280 1 Synology 1 Diskstation Manager 2019-10-09 4.3 MEDIUM 5.9 MEDIUM
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.
CVE-2017-9552 1 Synology 1 Photo Station 2019-10-09 2.1 LOW 7.8 HIGH
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
CVE-2017-9556 1 Synology 1 Video Station 2019-10-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
CVE-2017-9555 1 Synology 1 Photo Station 2019-10-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
CVE-2017-16767 1 Synology 1 Surveillance Station 2019-10-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
CVE-2017-16766 1 Synology 1 Diskstation Manager 2019-10-09 6.4 MEDIUM 6.5 MEDIUM
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
CVE-2017-16775 1 Synology 1 Sso Server 2019-10-09 5.8 MEDIUM 6.1 MEDIUM
Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
CVE-2017-16774 1 Synology 1 Diskstation Manager 2019-10-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
CVE-2017-16773 1 Synology 1 Universal Search 2019-10-09 6.5 MEDIUM 8.8 HIGH
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.
CVE-2017-16771 1 Synology 1 Photo Station 2019-10-09 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
CVE-2017-16772 1 Synology 1 Photo Station 2019-10-09 6.5 MEDIUM 8.8 HIGH
Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter.
CVE-2017-16770 1 Synology 1 Surveillance Station 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.
CVE-2017-16769 1 Synology 1 Photo Station 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.
CVE-2017-15893 1 Synology 1 File Station 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
CVE-2017-15886 1 Synology 1 Chat 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
CVE-2017-15887 1 Synology 1 Carddav Server 2019-10-09 5.0 MEDIUM 9.8 CRITICAL
An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.
CVE-2017-15888 1 Synology 1 Audio Station 2019-10-09 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
CVE-2017-15891 1 Synology 1 Calendar 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors.