Vulnerabilities > Synology > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-12-28 CVE-2017-15892 Cross-site Scripting vulnerability in Synology Chat
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.
network
low complexity
synology CWE-79
5.4
5.4
2017-12-28 CVE-2017-15886 Server-Side Request Forgery (SSRF) vulnerability in Synology Chat
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
network
low complexity
synology CWE-918
6.5
6.5
2017-12-27 CVE-2017-16768 Cross-site Scripting vulnerability in Synology Mailplus Server
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
network
low complexity
synology CWE-79
4.8
4.8
2017-12-22 CVE-2017-16766 Injection vulnerability in Synology Diskstation Manager
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
network
low complexity
synology CWE-74
6.5
6.5
2017-12-20 CVE-2017-12072 Cross-site Scripting vulnerability in Synology Photo Station
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.
network
low complexity
synology CWE-79
5.4
5.4
2017-12-15 CVE-2017-15890 Cross-site Scripting vulnerability in Synology Mailplus Server
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
network
low complexity
synology CWE-79
4.8
4.8
2017-12-08 CVE-2017-15895 Path Traversal vulnerability in Synology Router Manager
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
network
low complexity
synology CWE-22
6.5
6.5
2017-12-08 CVE-2017-15894 Path Traversal vulnerability in Synology Diskstation Manager
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
network
low complexity
synology CWE-22
6.5
6.5
2017-12-08 CVE-2017-15893 Path Traversal vulnerability in Synology File Station
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
network
low complexity
synology CWE-22
6.5
6.5
2017-12-08 CVE-2017-15891 Unspecified vulnerability in Synology Calendar
Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors.
network
low complexity
synology
6.5
6.5