Vulnerabilities > Synology > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-03-06 CVE-2018-7170 ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack.
network
high complexity
ntp synology netapp hpe
5.3
2018-02-27 CVE-2017-16770 Information Exposure vulnerability in Synology Surveillance Station
File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.
network
low complexity
synology CWE-200
6.5
2018-02-27 CVE-2017-16767 Cross-site Scripting vulnerability in Synology Surveillance Station
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
network
low complexity
synology CWE-79
5.4
2018-02-23 CVE-2017-16769 Information Exposure vulnerability in Synology Photo Station 6.8.13458
Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.
network
low complexity
synology CWE-200
5.3
2018-01-04 CVE-2017-5753 Information Exposure Through Discrepancy vulnerability in multiple products
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
5.6
2017-12-28 CVE-2017-15892 Cross-site Scripting vulnerability in Synology Chat
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.
network
low complexity
synology CWE-79
5.4
2017-12-28 CVE-2017-15886 Server-Side Request Forgery (SSRF) vulnerability in Synology Chat
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
network
low complexity
synology CWE-918
6.5
2017-12-27 CVE-2017-16768 Cross-site Scripting vulnerability in Synology Mailplus Server
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
network
low complexity
synology CWE-79
4.8
2017-12-22 CVE-2017-16766 Injection vulnerability in Synology Diskstation Manager
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
network
low complexity
synology CWE-74
6.5
2017-12-20 CVE-2017-12072 Cross-site Scripting vulnerability in Synology Photo Station
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.
network
low complexity
synology CWE-79
5.4