Vulnerabilities > Synology

DATE CVE VULNERABILITY TITLE RISK
2018-07-13 CVE-2016-6554 Credentials Management vulnerability in Synology Ds107 Firmware and Ds213 Firmware
Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) .
network
low complexity
synology CWE-255
critical
 9.8
9.8
2018-07-06 CVE-2018-8929 Channel and Path Errors vulnerability in Synology SSL VPN Client
Improper restriction of communication channel to intended endpoints vulnerability in HTTP daemon in Synology SSL VPN Client before 1.2.4-0224 allows remote attackers to conduct man-in-the-middle attacks via a crafted payload.
network
high complexity
synology CWE-417
8.1
8.1
2018-07-05 CVE-2018-8928 Cross-site Scripting vulnerability in Synology Carddav Server
Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter.
network
low complexity
synology CWE-79
5.4
5.4
2018-07-05 CVE-2017-16773 Incorrect Authorization vulnerability in Synology Universal Search
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode.
network
low complexity
synology CWE-863
8.8
8.8
2018-06-14 CVE-2018-8927 Incorrect Authorization vulnerability in Synology Calendar
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.
network
low complexity
synology CWE-863
6.5
6.5
2018-06-08 CVE-2018-8926 Unspecified vulnerability in Synology Photo Station
Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter.
network
low complexity
synology
8.8
8.8
2018-06-08 CVE-2018-8925 Cross-Site Request Forgery (CSRF) vulnerability in Synology Photo Station
Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter.
network
low complexity
synology CWE-352
8.8
8.8
2018-06-08 CVE-2018-8916 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Synology Diskstation Manager
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
network
low complexity
synology CWE-640
8.8
8.8
2018-06-08 CVE-2017-12078 Command Injection vulnerability in Synology Router Manager
Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter.
network
low complexity
synology CWE-77
7.2
7.2
2018-06-08 CVE-2017-12075 Command Injection vulnerability in Synology Diskstation Manager
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
network
low complexity
synology CWE-77
7.2
7.2