Vulnerabilities > Synology

DATE CVE VULNERABILITY TITLE RISK
2014-09-12 CVE-2012-1556 Cross-Site Scripting vulnerability in Synology Diskstation Manager and Synology Photo Station
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.
network
synology CWE-79
4.3
2014-03-02 CVE-2014-2264 Information Exposure vulnerability in Synology Diskstation Manager 4.33810
The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session.
network
low complexity
synology CWE-200
7.8
2014-01-09 CVE-2013-6955 Permissions, Privileges, and Access Controls vulnerability in Synology Diskstation Manager
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
network
low complexity
synology CWE-264
critical
10.0
2013-12-31 CVE-2013-6987 Path Traversal vulnerability in Synology Diskstation Manager 4.33810
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a ..
network
low complexity
synology CWE-22
7.5
2010-09-29 CVE-2010-3684 Credentials Management vulnerability in Synology DSM
The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453.
local
low complexity
synology CWE-255
2.1
2010-09-29 CVE-2010-2453 Cross-Site Scripting vulnerability in Synology DSM
Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue.
network
synology CWE-79
4.3