Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Synology Subscribe
Total 240 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-11822 1 Synology 1 Photo Station 2023-01-30 4.0 MEDIUM 6.5 MEDIUM
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
CVE-2019-11821 1 Synology 1 Photo Station 2023-01-30 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
CVE-2019-11826 1 Synology 1 Moments 2023-01-30 6.5 MEDIUM 8.8 HIGH
Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.
CVE-2019-11828 1 Synology 1 Office 2023-01-30 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2019-11827 1 Synology 1 Note Station 2023-01-30 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
CVE-2019-11829 1 Synology 1 Calendar 2023-01-30 7.5 HIGH 9.8 CRITICAL
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
CVE-2019-11825 1 Synology 1 Calendar 2023-01-30 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
CVE-2022-27612 1 Synology 1 Audio Station 2023-01-24 N/A 9.8 CRITICAL
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Audio Station before 6.5.4-3367 allows remote attackers to execute arbitrary commands via unspecified vectors.
CVE-2019-9517 12 Apache, Apple, Canonical and 9 more 25 Http Server, Traffic Server, Mac Os X and 22 more 2023-01-19 7.8 HIGH 7.5 HIGH
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2023-0077 1 Synology 1 Router Manager 2023-01-11 N/A 9.8 CRITICAL
Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to overflow buffers via unspecified vectors.
CVE-2022-43932 1 Synology 1 Router Manager 2023-01-11 N/A 7.5 HIGH
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2022-43931 1 Synology 2 Router Manager, Vpn Plus Server 2023-01-05 N/A 10.0 CRITICAL
Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.
CVE-2020-27654 1 Synology 1 Router Manager 2022-11-16 7.5 HIGH 9.8 CRITICAL
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27653 1 Synology 2 Diskstation Manager, Router Manager 2022-11-16 5.1 MEDIUM 8.3 HIGH
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27652 1 Synology 3 Diskstation Manager, Skynas, Skynas Firmware 2022-11-16 5.1 MEDIUM 8.3 HIGH
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27655 1 Synology 1 Router Manager 2022-11-16 7.5 HIGH 10.0 CRITICAL
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2022-43749 1 Synology 1 Presto File Server 2022-10-28 N/A 8.8 HIGH
Improper privilege management vulnerability in summary report management in Synology Presto File Server before 2.1.2-1601 allows remote authenticated users to bypass security constraint via unspecified vectors.
CVE-2022-43748 1 Synology 1 Presto File Server 2022-10-28 N/A 7.5 HIGH
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file operation management in Synology Presto File Server before 2.1.2-1601 allows remote attackers to write arbitrary files via unspecified vectors.
CVE-2022-27622 1 Synology 1 Diskstation Manager 2022-10-26 N/A 4.3 MEDIUM
Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors.
CVE-2022-27623 1 Synology 1 Diskstation Manager 2022-10-26 N/A 9.1 CRITICAL
Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.