Vulnerabilities > Synology

DATE CVE VULNERABILITY TITLE RISK
2021-02-26 CVE-2021-26564 Cleartext Transmission of Sensitive Information vulnerability in Synology products
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
network
high complexity
synology CWE-319
8.7
2021-02-26 CVE-2021-26563 Unspecified vulnerability in Synology products
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
local
low complexity
synology
6.7
2021-02-26 CVE-2021-26562 Out-of-bounds Write vulnerability in Synology products
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
network
high complexity
synology CWE-787
8.1
2021-02-26 CVE-2021-26561 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Synology products
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
network
high complexity
synology CWE-119
8.1
2021-02-26 CVE-2021-26560 Cleartext Transmission of Sensitive Information vulnerability in Synology products
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
network
high complexity
synology CWE-319
7.4
2021-01-26 CVE-2021-3156 Off-by-one Error vulnerability in multiple products
Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
7.8
2020-11-30 CVE-2020-27660 SQL Injection vulnerability in Synology Safeaccess
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
network
low complexity
synology CWE-89
critical
9.8
2020-11-30 CVE-2020-27659 Cross-site Scripting vulnerability in Synology Safeaccess
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
network
low complexity
synology CWE-79
4.8
2020-10-29 CVE-2020-27658 Incorrect Permission Assignment for Critical Resource vulnerability in Synology Router Manager
Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
network
low complexity
synology CWE-732
6.1
2020-10-29 CVE-2020-27657 Cleartext Transmission of Sensitive Information vulnerability in Synology Router Manager
Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.
network
high complexity
synology CWE-319
5.9