Medium

DATE	CVE	VULNERABILITY TITLE	RISK
2015-09-11	CVE-2015-6909	Cross-site Scripting vulnerability in Synology Download Station Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file. network synology CWE-79	4.3
2015-06-18	CVE-2015-4656	Cross-site Scripting vulnerability in Synology Photo Station Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. network synology CWE-79	4.3
2015-06-18	CVE-2015-4655	Cross-site Scripting vulnerability in Synology Diskstation Manager Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. network synology CWE-79	4.3
2015-05-30	CVE-2015-2851	Permissions, Privileges, and Access Controls vulnerability in Synology Cloud Station client_chown in the sync client in Synology Cloud Station 1.1-2291 through 3.1-3320 on OS X allows local users to change the ownership of arbitrary files, and consequently obtain root access, by specifying a filename. local low complexity synology apple CWE-264	6.8
2015-04-01	CVE-2015-2809	Information Exposure vulnerability in Synology Diskstation Manager 3.0 The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. network low complexity synology CWE-200	5.0
2014-10-02	CVE-2014-6868	Cryptographic Issues vulnerability in Synology DS Audio 3.4 The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. synology CWE-310	5.4
2014-09-30	CVE-2014-6848	Cryptographic Issues vulnerability in Synology DS File 4.1.1 The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. synology CWE-310	5.4
2014-09-30	CVE-2014-6836	Cryptographic Issues vulnerability in Synology DS Photo+ 3.3 The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. synology CWE-310	5.4
2014-09-12	CVE-2012-1556	Cross-Site Scripting vulnerability in Synology Diskstation Manager and Synology Photo Station Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. network synology CWE-79	4.3
2010-09-29	CVE-2010-2453	Cross-Site Scripting vulnerability in Synology DSM Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue. network synology CWE-79	4.3