Vulnerabilities > Synology

DATE CVE VULNERABILITY TITLE RISK
2017-08-18 CVE-2017-11160 Untrusted Search Path vulnerability in Synology Assistant
Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory.
local
low complexity
synology CWE-426
7.8
2017-08-14 CVE-2017-11156 Incorrect Permission Assignment for Critical Resource vulnerability in Synology Download Station
Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors.
local
low complexity
synology CWE-732
7.8
2017-08-14 CVE-2017-11150 OS Command Injection vulnerability in Synology Office 2.2.01502/2.2.11506
Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents.
local
low complexity
synology CWE-78
7.8
2017-08-14 CVE-2017-11149 Server-Side Request Forgery (SSRF) vulnerability in Synology Download Station
Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.
network
low complexity
synology CWE-918
6.5
2017-08-11 CVE-2017-9556 Cross-site Scripting vulnerability in Synology Video Station
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
network
low complexity
synology CWE-79
5.4
2017-08-11 CVE-2017-11148 Server-Side Request Forgery (SSRF) vulnerability in Synology Chat
Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors.
network
low complexity
synology CWE-918
6.5
2017-08-08 CVE-2017-11155 Information Exposure vulnerability in Synology Photo Station
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.
network
low complexity
synology CWE-200
7.5
2017-08-08 CVE-2017-11154 Unrestricted Upload of File with Dangerous Type vulnerability in Synology Photo Station
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.
network
low complexity
synology CWE-434
7.2
2017-08-08 CVE-2017-11153 Deserialization of Untrusted Data vulnerability in Synology Photo Station
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
network
low complexity
synology CWE-502
critical
9.8
2017-08-08 CVE-2017-11152 Path Traversal vulnerability in Synology Photo Station
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.
network
low complexity
synology CWE-22
7.5