Filtered by vendor Synology
Subscribe
Total
284 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-11150 | 1 Synology | 1 Office | 2025-04-20 | 6.5 MEDIUM | 7.8 HIGH |
Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents. | |||||
CVE-2017-11157 | 2 Microsoft, Synology | 2 Windows, Cloud Station Backup | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
Multiple untrusted search path vulnerabilities in the installer in Synology Cloud Station Backup before 4.2.5-4396 on Windows allow local attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. | |||||
CVE-2016-10330 | 1 Synology | 1 Photo Station | 2025-04-20 | 4.6 MEDIUM | 7.1 HIGH |
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors. | |||||
CVE-2017-11148 | 1 Synology | 1 Chat | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors. | |||||
CVE-2017-12074 | 1 Synology | 1 Dns Server | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 allows remote authenticated attackers to write arbitrary files via the domain_name parameter. | |||||
CVE-2016-10331 | 1 Synology | 1 Photo Station | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter. | |||||
CVE-2017-15891 | 1 Synology | 1 Calendar | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors. | |||||
CVE-2017-11152 | 1 Synology | 1 Photo Station | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. | |||||
CVE-2017-12077 | 1 Synology | 1 Router Manager | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. | |||||
CVE-2017-11151 | 1 Synology | 1 Photo Station | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. | |||||
CVE-2017-14491 | 13 Arista, Arubanetworks, Canonical and 10 more | 29 Eos, Arubaos, Ubuntu Linux and 26 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. | |||||
CVE-2015-2851 | 2 Apple, Synology | 2 Mac Os X, Cloud Station | 2025-04-12 | 6.8 MEDIUM | N/A |
client_chown in the sync client in Synology Cloud Station 1.1-2291 through 3.1-3320 on OS X allows local users to change the ownership of arbitrary files, and consequently obtain root access, by specifying a filename. | |||||
CVE-2015-2809 | 1 Synology | 1 Diskstation Manager | 2025-04-12 | 5.0 MEDIUM | N/A |
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. | |||||
CVE-2015-6912 | 1 Synology | 1 Video Station | 2025-04-12 | 10.0 HIGH | N/A |
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi. | |||||
CVE-2015-6910 | 1 Synology | 1 Video Station | 2025-04-12 | 7.5 HIGH | N/A |
SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi. | |||||
CVE-2014-6848 | 1 Synology | 1 Ds File | 2025-04-12 | 5.4 MEDIUM | N/A |
The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2015-6911 | 1 Synology | 1 Video Station | 2025-04-12 | 7.5 HIGH | N/A |
SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. | |||||
CVE-2014-6868 | 1 Synology | 1 Ds Audio | 2025-04-12 | 5.4 MEDIUM | N/A |
The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
CVE-2014-2264 | 1 Synology | 1 Diskstation Manager | 2025-04-12 | 7.8 HIGH | N/A |
The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. | |||||
CVE-2015-6909 | 1 Synology | 1 Download Station | 2025-04-12 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file. |