VYPR

Diskstation Manager

by Synology

CVEs (77)

  • CVE-2017-14491CriOct 4, 2017
    risk 0.73cvss 9.8epss 0.85

    Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response.

  • CVE-2017-15889HigDec 4, 2017
    risk 0.66cvss 8.8epss 0.72

    Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

  • CVE-2025-13392HigMay 27, 2026
    risk 0.53cvss 8.1epss 0.01

    Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name…

  • CVE-2017-9553HigJul 24, 2017
    risk 0.49cvss 7.5epss 0.01

    A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter.

  • CVE-2018-13280HigJul 30, 2018
    risk 0.48cvss 7.4epss 0.01

    Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.

  • CVE-2017-12075HigJun 8, 2018
    risk 0.47cvss 7.2epss 0.02

    Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.

  • CVE-2017-9554MedJul 24, 2017
    risk 0.43cvss 5.3epss 0.75

    An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.

  • CVE-2017-16766MedDec 22, 2017
    risk 0.42cvss 6.5epss 0.01

    An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.

  • CVE-2017-15894MedDec 8, 2017
    risk 0.42cvss 6.5epss 0.02

    Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.

  • CVE-2018-8916MedJun 8, 2018
    risk 0.41cvss 6.3epss 0.01

    Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

  • CVE-2017-12076MedAug 28, 2017
    risk 0.32cvss 4.9epss 0.01

    Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.

  • CVE-2013-6955Jan 9, 2014
    risk 0.10cvss epss 0.85

    webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD…

  • CVE-2013-6987Dec 31, 2013
    risk 0.04cvss epss 0.15

    Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2)…

  • CVE-2012-1556Sep 12, 2014
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

  • CVE-2024-5401Dec 4, 2025
    risk 0.00cvss epss 0.00

    Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to…

  • CVE-2024-45539Dec 4, 2025
    risk 0.00cvss epss 0.00

    Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

  • CVE-2024-45538Dec 4, 2025
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

  • CVE-2025-1021Apr 23, 2025
    risk 0.00cvss epss 0.00

    Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2024-50629Mar 19, 2025
    risk 0.00cvss epss 0.27

    Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files…

  • CVE-2024-10445Mar 19, 2025
    risk 0.00cvss epss 0.00

    Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write…

Page 1 of 4