Vulnerabilities > Synology > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-05-08 | CVE-2018-8897 | Race Condition vulnerability in multiple products A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. | 7.2 |
| 2017-09-08 | CVE-2017-11161 | SQL Injection vulnerability in Synology Photo Station Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php. | 7.5 |
| 2017-08-08 | CVE-2017-11153 | Deserialization of Untrusted Data vulnerability in Synology Photo Station Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. | 7.5 |
| 2017-08-08 | CVE-2017-11151 | Improper Authentication vulnerability in Synology Photo Station A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. | 7.5 |
| 2017-05-12 | CVE-2016-10330 | Path Traversal vulnerability in Synology Photo Station Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors. | 7.1 |
| 2017-05-12 | CVE-2016-10329 | Command Injection vulnerability in Synology Photo Station Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header. | 7.5 |
| 2017-04-10 | CVE-2016-10323 | Permissions, Privileges, and Access Controls vulnerability in Synology Photo Station Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. | 7.2 |
| 2015-09-11 | CVE-2015-6911 | SQL Injection vulnerability in Synology Video Station SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. | 7.5 |
| 2015-09-11 | CVE-2015-6910 | SQL Injection vulnerability in Synology Video Station SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi. | 7.5 |
| 2014-03-02 | CVE-2014-2264 | Information Exposure vulnerability in Synology Diskstation Manager 4.33810 The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. | 7.8 |