Vulnerabilities > Synology > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-04-01 CVE-2018-13287 Incorrect Default Permissions vulnerability in Synology Router Manager
Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
network
low complexity
synology CWE-276
6.5
2019-04-01 CVE-2018-13286 Incorrect Default Permissions vulnerability in Synology Diskstation Manager
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
network
low complexity
synology CWE-276
6.5
2019-04-01 CVE-2017-16775 Improper Input Validation vulnerability in Synology SSO Server
Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
network
low complexity
synology CWE-20
6.1
2019-04-01 CVE-2017-16774 Cross-site Scripting vulnerability in Synology Diskstation Manager
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
network
low complexity
synology CWE-79
5.4
2018-12-24 CVE-2018-8917 Cross-site Scripting vulnerability in Synology Diskstation Manager
Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
network
low complexity
synology CWE-79
5.4
2018-12-24 CVE-2018-8918 Cross-site Scripting vulnerability in Synology Router Manager
Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
network
low complexity
synology CWE-79
5.4
2018-10-31 CVE-2018-13282 Session Fixation vulnerability in Synology Photo Station
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
network
low complexity
synology CWE-384
6.3
2018-10-31 CVE-2018-13281 Information Exposure vulnerability in Synology Diskstation Manager, Skynas and Vs960Hd
Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.
network
low complexity
synology CWE-200
4.3
2018-07-30 CVE-2018-13280 Use of Insufficiently Random Values vulnerability in Synology Diskstation Manager
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.
network
high complexity
synology CWE-330
5.9
2018-07-05 CVE-2018-8928 Cross-site Scripting vulnerability in Synology Carddav Server
Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter.
network
low complexity
synology CWE-79
5.4