Vendor CVEs
Synology
All CVEs
319 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-26564 | 0.00 | — | 0.01 | Feb 26, 2021 | Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. | |||
| CVE-2021-26563 | 0.00 | — | 0.01 | Feb 26, 2021 | Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. | |||
| CVE-2021-26562 | 0.00 | — | 0.02 | Feb 26, 2021 | Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. | |||
| CVE-2021-26561 | 0.00 | — | 0.02 | Feb 26, 2021 | Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. | |||
| CVE-2021-26560 | 0.00 | — | 0.01 | Feb 26, 2021 | Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. | |||
| CVE-2020-2503 | 0.00 | — | 0.01 | Dec 24, 2020 | If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | |||
| CVE-2020-2496 | 0.00 | — | 0.01 | Dec 10, 2020 | If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS… | |||
| CVE-2020-2495 | 0.00 | — | 0.01 | Dec 10, 2020 | If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS… | |||
| CVE-2020-27660 | 0.00 | — | 0.05 | Nov 30, 2020 | SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. | |||
| CVE-2020-27659 | 0.00 | — | 0.05 | Nov 30, 2020 | Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter. | |||
| CVE-2018-19956 | 0.00 | — | 0.01 | Nov 2, 2020 | The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions… | |||
| CVE-2018-19954 | 0.00 | — | 0.01 | Nov 2, 2020 | The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions… | |||
| CVE-2020-27656 | 0.00 | — | 0.01 | Oct 29, 2020 | Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||
| CVE-2020-27652 | 0.00 | — | 0.01 | Oct 29, 2020 | Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. | |||
| CVE-2020-27650 | 0.00 | — | 0.01 | Oct 29, 2020 | Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. | |||
| CVE-2020-27648 | 0.00 | — | 0.01 | Oct 29, 2020 | Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||
| CVE-2020-27658 | 0.00 | — | 0.01 | Oct 29, 2020 | Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | |||
| CVE-2020-27657 | 0.00 | — | 0.01 | Oct 29, 2020 | Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||
| CVE-2020-27655 | 0.00 | — | 0.02 | Oct 29, 2020 | Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic. | |||
| CVE-2020-27654 | 0.00 | — | 0.05 | Oct 29, 2020 | Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp. | |||
| CVE-2020-27653 | 0.00 | — | 0.01 | Oct 29, 2020 | Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. | |||
| CVE-2020-27651 | 0.00 | — | 0.01 | Oct 29, 2020 | Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. | |||
| CVE-2020-27649 | 0.00 | — | 0.01 | Oct 29, 2020 | Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||
| CVE-2019-11823 | 0.00 | — | 0.02 | May 4, 2020 | CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. | |||
| CVE-2019-11827 | 0.00 | — | 0.01 | Jun 30, 2019 | Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter. | |||
| CVE-2019-11828 | 0.00 | — | 0.01 | Jun 30, 2019 | Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2019-11829 | 0.00 | — | 0.02 | Jun 30, 2019 | OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header. | |||
| CVE-2019-11822 | 0.00 | — | 0.01 | Jun 30, 2019 | Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter. | |||
| CVE-2019-11821 | 0.00 | — | 0.02 | Jun 30, 2019 | SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. | |||
| CVE-2019-11825 | 0.00 | — | 0.01 | Jun 30, 2019 | Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter. | |||
| CVE-2019-11820 | 0.00 | — | 0.00 | May 9, 2019 | Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. | |||
| CVE-2018-13299 | 0.00 | — | 0.01 | Apr 1, 2019 | Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter. | |||
| CVE-2018-13298 | 0.00 | — | 0.01 | Apr 1, 2019 | Channel accessible by non-endpoint vulnerability in privacy page in Synology Android Moments before 1.2.3-199 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors. | |||
| CVE-2018-13296 | 0.00 | — | 0.02 | Apr 1, 2019 | Uncontrolled resource consumption vulnerability in TLS configuration in Synology MailPlus Server before 2.0.5-0606 allows remote attackers to conduct denial-of-service attacks via client-initiated renegotiation. | |||
| CVE-2018-13295 | 0.00 | — | 0.01 | Apr 1, 2019 | Information exposure vulnerability in SYNO.Personal.Application.Info in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the version parameter. | |||
| CVE-2018-13294 | 0.00 | — | 0.01 | Apr 1, 2019 | Information exposure vulnerability in SYNO.Personal.Profile in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the uid parameter. | |||
| CVE-2018-13293 | 0.00 | — | 0.01 | Apr 1, 2019 | Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter. | |||
| CVE-2018-13291 | 0.00 | — | 0.01 | Apr 1, 2019 | Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration. | |||
| CVE-2018-13292 | 0.00 | — | 0.01 | Apr 1, 2019 | Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration. | |||
| CVE-2018-13290 | 0.00 | — | 0.01 | Apr 1, 2019 | Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter. | |||
| CVE-2018-13289 | 0.00 | — | 0.02 | Apr 1, 2019 | Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter. | |||
| CVE-2018-13288 | 0.00 | — | 0.01 | Apr 1, 2019 | Information exposure vulnerability in SYNO.FolderSharing.List in Synology File Station before 1.2.3-0252 and before 1.1.5-0125 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter. | |||
| CVE-2018-13287 | 0.00 | — | 0.01 | Apr 1, 2019 | Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. | |||
| CVE-2018-13285 | 0.00 | — | 0.02 | Apr 1, 2019 | Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. | |||
| CVE-2018-13286 | 0.00 | — | 0.01 | Apr 1, 2019 | Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. | |||
| CVE-2018-13284 | 0.00 | — | 0.02 | Apr 1, 2019 | Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. | |||
| CVE-2018-13283 | 0.00 | — | 0.01 | Apr 1, 2019 | Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter. | |||
| CVE-2017-16775 | 0.00 | — | 0.01 | Apr 1, 2019 | Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | |||
| CVE-2017-16774 | 0.00 | — | 0.01 | Apr 1, 2019 | Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. | |||
| CVE-2018-8913 | 0.00 | — | 0.01 | Apr 1, 2019 | Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL. |
- CVE-2021-26564Feb 26, 2021risk 0.00cvss —epss 0.01
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
- CVE-2021-26563Feb 26, 2021risk 0.00cvss —epss 0.01
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
- CVE-2021-26562Feb 26, 2021risk 0.00cvss —epss 0.02
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
- CVE-2021-26561Feb 26, 2021risk 0.00cvss —epss 0.02
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
- CVE-2021-26560Feb 26, 2021risk 0.00cvss —epss 0.01
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
- CVE-2020-2503Dec 24, 2020risk 0.00cvss —epss 0.01
If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.
- CVE-2020-2496Dec 10, 2020risk 0.00cvss —epss 0.01
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS…
- CVE-2020-2495Dec 10, 2020risk 0.00cvss —epss 0.01
If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS…
- CVE-2020-27660Nov 30, 2020risk 0.00cvss —epss 0.05
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
- CVE-2020-27659Nov 30, 2020risk 0.00cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
- CVE-2018-19956Nov 2, 2020risk 0.00cvss —epss 0.01
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions…
- CVE-2018-19954Nov 2, 2020risk 0.00cvss —epss 0.01
The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions…
- CVE-2020-27656Oct 29, 2020risk 0.00cvss —epss 0.01
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.
- CVE-2020-27652Oct 29, 2020risk 0.00cvss —epss 0.01
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
- CVE-2020-27650Oct 29, 2020risk 0.00cvss —epss 0.01
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
- CVE-2020-27648Oct 29, 2020risk 0.00cvss —epss 0.01
Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- CVE-2020-27658Oct 29, 2020risk 0.00cvss —epss 0.01
Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
- CVE-2020-27657Oct 29, 2020risk 0.00cvss —epss 0.01
Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.
- CVE-2020-27655Oct 29, 2020risk 0.00cvss —epss 0.02
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
- CVE-2020-27654Oct 29, 2020risk 0.00cvss —epss 0.05
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
- CVE-2020-27653Oct 29, 2020risk 0.00cvss —epss 0.01
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
- CVE-2020-27651Oct 29, 2020risk 0.00cvss —epss 0.01
Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
- CVE-2020-27649Oct 29, 2020risk 0.00cvss —epss 0.01
Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
- CVE-2019-11823May 4, 2020risk 0.00cvss —epss 0.02
CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.
- CVE-2019-11827Jun 30, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
- CVE-2019-11828Jun 30, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2019-11829Jun 30, 2019risk 0.00cvss —epss 0.02
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
- CVE-2019-11822Jun 30, 2019risk 0.00cvss —epss 0.01
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
- CVE-2019-11821Jun 30, 2019risk 0.00cvss —epss 0.02
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
- CVE-2019-11825Jun 30, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
- CVE-2019-11820May 9, 2019risk 0.00cvss —epss 0.00
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.
- CVE-2018-13299Apr 1, 2019risk 0.00cvss —epss 0.01
Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter.
- CVE-2018-13298Apr 1, 2019risk 0.00cvss —epss 0.01
Channel accessible by non-endpoint vulnerability in privacy page in Synology Android Moments before 1.2.3-199 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.
- CVE-2018-13296Apr 1, 2019risk 0.00cvss —epss 0.02
Uncontrolled resource consumption vulnerability in TLS configuration in Synology MailPlus Server before 2.0.5-0606 allows remote attackers to conduct denial-of-service attacks via client-initiated renegotiation.
- CVE-2018-13295Apr 1, 2019risk 0.00cvss —epss 0.01
Information exposure vulnerability in SYNO.Personal.Application.Info in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the version parameter.
- CVE-2018-13294Apr 1, 2019risk 0.00cvss —epss 0.01
Information exposure vulnerability in SYNO.Personal.Profile in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the uid parameter.
- CVE-2018-13293Apr 1, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.
- CVE-2018-13291Apr 1, 2019risk 0.00cvss —epss 0.01
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.
- CVE-2018-13292Apr 1, 2019risk 0.00cvss —epss 0.01
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration.
- CVE-2018-13290Apr 1, 2019risk 0.00cvss —epss 0.01
Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.
- CVE-2018-13289Apr 1, 2019risk 0.00cvss —epss 0.02
Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.
- CVE-2018-13288Apr 1, 2019risk 0.00cvss —epss 0.01
Information exposure vulnerability in SYNO.FolderSharing.List in Synology File Station before 1.2.3-0252 and before 1.1.5-0125 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.
- CVE-2018-13287Apr 1, 2019risk 0.00cvss —epss 0.01
Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
- CVE-2018-13285Apr 1, 2019risk 0.00cvss —epss 0.02
Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
- CVE-2018-13286Apr 1, 2019risk 0.00cvss —epss 0.01
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
- CVE-2018-13284Apr 1, 2019risk 0.00cvss —epss 0.02
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
- CVE-2018-13283Apr 1, 2019risk 0.00cvss —epss 0.01
Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.
- CVE-2017-16775Apr 1, 2019risk 0.00cvss —epss 0.01
Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
- CVE-2017-16774Apr 1, 2019risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
- CVE-2018-8913Apr 1, 2019risk 0.00cvss —epss 0.01
Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL.
Page 6 of 7