VYPR

Vendor CVEs

Synology

All CVEs

319 total · sorted by risk
  • CVE-2021-26564Feb 26, 2021
    risk 0.00cvss epss 0.01

    Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.

  • CVE-2021-26563Feb 26, 2021
    risk 0.00cvss epss 0.01

    Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.

  • CVE-2021-26562Feb 26, 2021
    risk 0.00cvss epss 0.02

    Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.

  • CVE-2021-26561Feb 26, 2021
    risk 0.00cvss epss 0.02

    Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.

  • CVE-2021-26560Feb 26, 2021
    risk 0.00cvss epss 0.01

    Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.

  • CVE-2020-2503Dec 24, 2020
    risk 0.00cvss epss 0.01

    If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.

  • CVE-2020-2496Dec 10, 2020
    risk 0.00cvss epss 0.01

    If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS…

  • CVE-2020-2495Dec 10, 2020
    risk 0.00cvss epss 0.01

    If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS…

  • CVE-2020-27660Nov 30, 2020
    risk 0.00cvss epss 0.05

    SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.

  • CVE-2020-27659Nov 30, 2020
    risk 0.00cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.

  • CVE-2018-19956Nov 2, 2020
    risk 0.00cvss epss 0.01

    The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions…

  • CVE-2018-19954Nov 2, 2020
    risk 0.00cvss epss 0.01

    The cross-site scripting vulnerability has been reported to affect earlier versions of Photo Station. If exploited, the vulnerability could allow remote attackers to inject malicious code. This issue affects: QNAP Systems Inc. Photo Station versions prior to 5.7.11; versions…

  • CVE-2020-27656Oct 29, 2020
    risk 0.00cvss epss 0.01

    Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.

  • CVE-2020-27652Oct 29, 2020
    risk 0.00cvss epss 0.01

    Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.

  • CVE-2020-27650Oct 29, 2020
    risk 0.00cvss epss 0.01

    Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

  • CVE-2020-27648Oct 29, 2020
    risk 0.00cvss epss 0.01

    Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2020-27658Oct 29, 2020
    risk 0.00cvss epss 0.01

    Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

  • CVE-2020-27657Oct 29, 2020
    risk 0.00cvss epss 0.01

    Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.

  • CVE-2020-27655Oct 29, 2020
    risk 0.00cvss epss 0.02

    Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.

  • CVE-2020-27654Oct 29, 2020
    risk 0.00cvss epss 0.05

    Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.

  • CVE-2020-27653Oct 29, 2020
    risk 0.00cvss epss 0.01

    Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.

  • CVE-2020-27651Oct 29, 2020
    risk 0.00cvss epss 0.01

    Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

  • CVE-2020-27649Oct 29, 2020
    risk 0.00cvss epss 0.01

    Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

  • CVE-2019-11823May 4, 2020
    risk 0.00cvss epss 0.02

    CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.

  • CVE-2019-11827Jun 30, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.

  • CVE-2019-11828Jun 30, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2019-11829Jun 30, 2019
    risk 0.00cvss epss 0.02

    OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.

  • CVE-2019-11822Jun 30, 2019
    risk 0.00cvss epss 0.01

    Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

  • CVE-2019-11821Jun 30, 2019
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.

  • CVE-2019-11825Jun 30, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.

  • CVE-2019-11820May 9, 2019
    risk 0.00cvss epss 0.00

    Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.

  • CVE-2018-13299Apr 1, 2019
    risk 0.00cvss epss 0.01

    Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter.

  • CVE-2018-13298Apr 1, 2019
    risk 0.00cvss epss 0.01

    Channel accessible by non-endpoint vulnerability in privacy page in Synology Android Moments before 1.2.3-199 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.

  • CVE-2018-13296Apr 1, 2019
    risk 0.00cvss epss 0.02

    Uncontrolled resource consumption vulnerability in TLS configuration in Synology MailPlus Server before 2.0.5-0606 allows remote attackers to conduct denial-of-service attacks via client-initiated renegotiation.

  • CVE-2018-13295Apr 1, 2019
    risk 0.00cvss epss 0.01

    Information exposure vulnerability in SYNO.Personal.Application.Info in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the version parameter.

  • CVE-2018-13294Apr 1, 2019
    risk 0.00cvss epss 0.01

    Information exposure vulnerability in SYNO.Personal.Profile in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the uid parameter.

  • CVE-2018-13293Apr 1, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.

  • CVE-2018-13291Apr 1, 2019
    risk 0.00cvss epss 0.01

    Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.

  • CVE-2018-13292Apr 1, 2019
    risk 0.00cvss epss 0.01

    Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration.

  • CVE-2018-13290Apr 1, 2019
    risk 0.00cvss epss 0.01

    Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.

  • CVE-2018-13289Apr 1, 2019
    risk 0.00cvss epss 0.02

    Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.

  • CVE-2018-13288Apr 1, 2019
    risk 0.00cvss epss 0.01

    Information exposure vulnerability in SYNO.FolderSharing.List in Synology File Station before 1.2.3-0252 and before 1.1.5-0125 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.

  • CVE-2018-13287Apr 1, 2019
    risk 0.00cvss epss 0.01

    Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.

  • CVE-2018-13285Apr 1, 2019
    risk 0.00cvss epss 0.02

    Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

  • CVE-2018-13286Apr 1, 2019
    risk 0.00cvss epss 0.01

    Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.

  • CVE-2018-13284Apr 1, 2019
    risk 0.00cvss epss 0.02

    Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

  • CVE-2018-13283Apr 1, 2019
    risk 0.00cvss epss 0.01

    Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.

  • CVE-2017-16775Apr 1, 2019
    risk 0.00cvss epss 0.01

    Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

  • CVE-2017-16774Apr 1, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.

  • CVE-2018-8913Apr 1, 2019
    risk 0.00cvss epss 0.01

    Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL.

Page 6 of 7