Vulnerabilities > Synology

DATE CVE VULNERABILITY TITLE RISK
2017-12-15 CVE-2017-15890 Cross-site Scripting vulnerability in Synology Mailplus Server
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
network
low complexity
synology CWE-79
4.8
4.8
2017-12-08 CVE-2017-15895 Path Traversal vulnerability in Synology Router Manager
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
network
low complexity
synology CWE-22
6.5
6.5
2017-12-08 CVE-2017-15894 Path Traversal vulnerability in Synology Diskstation Manager
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
network
low complexity
synology CWE-22
6.5
6.5
2017-12-08 CVE-2017-15893 Path Traversal vulnerability in Synology File Station
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
network
low complexity
synology CWE-22
6.5
6.5
2017-12-08 CVE-2017-15891 Unspecified vulnerability in Synology Calendar
Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors.
network
low complexity
synology
6.5
6.5
2017-12-04 CVE-2017-15889 Command Injection vulnerability in Synology Diskstation Manager
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
network
low complexity
synology CWE-77
8.8
8.8
2017-12-04 CVE-2017-12080 Information Exposure vulnerability in Synology Photo Station
An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.
network
low complexity
synology CWE-200
5.3
5.3
2017-12-04 CVE-2017-12079 Information Exposure vulnerability in Synology Photo Station
Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field.
network
low complexity
synology CWE-200
7.5
7.5
2017-11-07 CVE-2017-15887 Improper Restriction of Excessive Authentication Attempts vulnerability in Synology Carddav Server
An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.
network
low complexity
synology CWE-307
critical
 9.8
9.8
2017-10-30 CVE-2017-15888 Cross-site Scripting vulnerability in Synology Audio Station
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
network
low complexity
synology CWE-79
5.4
5.4