Vulnerabilities > Synology
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-30 | CVE-2019-11828 | Cross-site Scripting vulnerability in Synology Office Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 5.4 |
| 2019-06-30 | CVE-2019-11827 | Cross-site Scripting vulnerability in Synology Note Station Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter. | 5.4 |
| 2019-06-30 | CVE-2019-11826 | Path Traversal vulnerability in Synology Moments Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter. | 8.8 |
| 2019-06-30 | CVE-2019-11825 | Cross-site Scripting vulnerability in Synology Calendar Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter. | 5.4 |
| 2019-06-30 | CVE-2019-11822 | Path Traversal vulnerability in Synology Photo Station Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter. | 6.5 |
| 2019-06-30 | CVE-2019-11821 | SQL Injection vulnerability in Synology Photo Station SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. | 9.8 |
| 2019-05-09 | CVE-2019-11820 | Insufficiently Protected Credentials vulnerability in Synology Calendar Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. | 2.1 |
| 2019-04-17 | CVE-2019-9499 | Improper Authentication vulnerability in multiple products The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. | 8.1 |
| 2019-04-17 | CVE-2019-9498 | Improper Authentication vulnerability in multiple products The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. | 8.1 |
| 2019-04-17 | CVE-2019-9495 | Information Exposure Through Discrepancy vulnerability in multiple products The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. | 3.7 |