Vulnerabilities > Synology > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-08-28 CVE-2017-12076 Resource Exhaustion vulnerability in Synology Diskstation Manager
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.
network
low complexity
synology CWE-400
4.9
2017-08-24 CVE-2017-9555 Cross-site Scripting vulnerability in Synology Photo Station
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
network
low complexity
synology CWE-79
5.4
2017-08-24 CVE-2017-12074 Path Traversal vulnerability in Synology DNS Server
Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 allows remote authenticated attackers to write arbitrary files via the domain_name parameter.
network
low complexity
synology CWE-22
6.5
2017-08-14 CVE-2017-11149 Server-Side Request Forgery (SSRF) vulnerability in Synology Download Station
Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.
network
low complexity
synology CWE-918
6.5
2017-08-11 CVE-2017-9556 Cross-site Scripting vulnerability in Synology Video Station
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
network
low complexity
synology CWE-79
5.4
2017-08-11 CVE-2017-11148 Server-Side Request Forgery (SSRF) vulnerability in Synology Chat
Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors.
network
low complexity
synology CWE-918
6.5
2017-07-24 CVE-2017-9554 Information Exposure vulnerability in Synology Diskstation Manager
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
network
low complexity
synology CWE-200
5.3
2017-06-30 CVE-2015-9105 Cross-site Scripting vulnerability in Synology Video Station
Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.
network
low complexity
synology CWE-79
5.4
2017-06-30 CVE-2015-9104 Cross-site Scripting vulnerability in Synology Audio Station
Cross-site scripting (XSS) vulnerabilities in Synology Audio Station 5.1 before 5.1-2550 and 5.4 before 5.4-2857 allows remote authenticated attackers to inject arbitrary web script or HTML via the album title.
network
low complexity
synology CWE-79
5.4
2017-06-30 CVE-2015-9103 Cross-site Scripting vulnerability in Synology Note Station
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.
network
low complexity
synology CWE-79
5.4