Vulnerabilities > Synology > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-10-29 CVE-2020-27657 Cleartext Transmission of Sensitive Information vulnerability in Synology Router Manager
Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.
network
high complexity
synology CWE-319
5.9
2020-08-21 CVE-2020-8622 Reachable Assertion vulnerability in multiple products
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit.
6.5
2020-01-21 CVE-2019-19344 Use After Free vulnerability in multiple products
There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while other local variables still point at the original buffer.
network
low complexity
samba canonical synology opensuse CWE-416
6.5
2020-01-21 CVE-2019-14907 Out-of-bounds Read vulnerability in multiple products
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed.
6.5
2019-08-13 CVE-2019-9516 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.
6.5
2019-06-30 CVE-2019-11828 Cross-site Scripting vulnerability in Synology Office
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
network
low complexity
synology CWE-79
5.4
2019-06-30 CVE-2019-11827 Cross-site Scripting vulnerability in Synology Note Station
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
network
low complexity
synology CWE-79
5.4
2019-06-30 CVE-2019-11825 Cross-site Scripting vulnerability in Synology Calendar
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
network
low complexity
synology CWE-79
5.4
2019-06-30 CVE-2019-11822 Path Traversal vulnerability in Synology Photo Station
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
network
low complexity
synology CWE-22
6.5
2019-05-09 CVE-2019-11820 Insufficiently Protected Credentials vulnerability in Synology Calendar
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.
local
low complexity
synology CWE-522
5.5