Vulnerabilities > Synology > Photo Station > 5.2.2398

DATE CVE VULNERABILITY TITLE RISK
2017-08-08 CVE-2017-11151 Improper Authentication vulnerability in Synology Photo Station
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.
network
low complexity
synology CWE-287
critical
 9.8
9.8
2017-06-30 CVE-2015-9102 Cross-site Scripting vulnerability in Synology Photo Station
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
network
low complexity
synology CWE-79
5.4
5.4
2017-05-12 CVE-2016-10331 Path Traversal vulnerability in Synology Photo Station
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
network
low complexity
synology CWE-22
7.5
7.5
2017-05-12 CVE-2016-10330 Path Traversal vulnerability in Synology Photo Station
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.
local
low complexity
synology CWE-22
7.1
7.1
2017-05-12 CVE-2016-10329 Command Injection vulnerability in Synology Photo Station
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.
network
low complexity
synology CWE-77
critical
 9.8
9.8
2017-04-10 CVE-2016-10323 Permissions, Privileges, and Access Controls vulnerability in Synology Photo Station
Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command.
local
low complexity
synology CWE-264
7.8
7.8
2017-04-10 CVE-2016-10322 Command Injection vulnerability in Synology Photo Station
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.
network
low complexity
synology CWE-77
8.8
8.8