Vulnerabilities > Synology

DATE CVE VULNERABILITY TITLE RISK
2018-12-24 CVE-2018-8918 Cross-site Scripting vulnerability in Synology Router Manager
Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
network
low complexity
synology CWE-79
5.4
2018-12-20 CVE-2018-1160 Out-of-bounds Write vulnerability in multiple products
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c.
network
low complexity
netatalk synology debian CWE-787
critical
9.8
2018-10-31 CVE-2018-13282 Session Fixation vulnerability in Synology Photo Station
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
network
low complexity
synology CWE-384
6.3
2018-10-31 CVE-2018-13281 Information Exposure vulnerability in Synology Diskstation Manager, Skynas and Vs960Hd
Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.
network
low complexity
synology CWE-200
4.3
2018-07-30 CVE-2018-13280 Use of Insufficiently Random Values vulnerability in Synology Diskstation Manager
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.
network
high complexity
synology CWE-330
5.9
2018-07-13 CVE-2016-6554 Credentials Management vulnerability in Synology Ds107 Firmware and Ds213 Firmware
Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) .
network
low complexity
synology CWE-255
critical
9.8
2018-07-06 CVE-2018-8929 Channel and Path Errors vulnerability in Synology SSL VPN Client
Improper restriction of communication channel to intended endpoints vulnerability in HTTP daemon in Synology SSL VPN Client before 1.2.4-0224 allows remote attackers to conduct man-in-the-middle attacks via a crafted payload.
network
high complexity
synology CWE-417
8.1
2018-07-05 CVE-2018-8928 Cross-site Scripting vulnerability in Synology Carddav Server
Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter.
network
low complexity
synology CWE-79
5.4
2018-07-05 CVE-2017-16773 Incorrect Authorization vulnerability in Synology Universal Search
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.
network
low complexity
synology CWE-863
8.8
2018-06-14 CVE-2018-8927 Incorrect Authorization vulnerability in Synology Calendar
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.
network
low complexity
synology CWE-863
6.5