Vulnerabilites related to synology - photo_station
Vulnerability from fkie_nvd
Published
2017-12-04 19:29
Modified
2025-04-20 01:37
Severity ?
Summary
An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4ECA6-0266-475F-8D42-508B7F4F12EF",
"versionEndExcluding": "6.3-2970",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E77F1B7-8AD1-42F5-BA8A-9F278100756B",
"versionEndExcluding": "6.8.1-3458",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file."
},
{
"lang": "es",
"value": "Una vulnerabilidad de exposici\u00f3n de informaci\u00f3n en el archivo de configuraci\u00f3n HTTP por defecto en Synology Photo Station en versiones anteriores a la 6.8.1-3458 y a la 6.3-2970 permite que atacantes remotos obtengan informaci\u00f3n sensible del sistema mediante el archivo .htaccess."
}
],
"id": "CVE-2017-12080",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-04T19:29:00.267",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-30 13:29
Modified
2025-04-20 01:37
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D392B8A-1DCF-4B74-921B-4A2A55F794DE",
"versionEndIncluding": "6.3-2960",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos."
},
{
"lang": "es",
"value": "Varias vulnerabilidades de XSS (cross-site scripting) en Synology Photo Station versi\u00f3n 6.0 y anteriores a la 6.0-2638, versi\u00f3n 6.3 y anteriores a la 6.3-2962, permiten a atacantes remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s del (1) nombre del \u00e1lbum (2) nombre de las im\u00e1genes subidas, (3) descripci\u00f3n de fotos, o (4) etiqueta de las fotos."
}
],
"id": "CVE-2015-9102",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-30T13:29:00.177",
"references": [
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-103"
},
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-104"
},
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-109"
},
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-112"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-08 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23EC868E-F493-4A58-B3D5-0D05F33725FD",
"versionEndIncluding": "6.3-2967",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9EDAA6AE-EA8A-4B2E-A36D-9EBC48BFC485",
"versionEndIncluding": "6.7.3-3432",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de directorio en synphotoio en Synology Photo Station en versiones anteriores a la 6.7.4-3433 y a la 6.3-2968 permite que atacantes remotos autenticados lean archivos arbitrarios mediante vectores no especificados."
}
],
"id": "CVE-2017-11162",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-08T14:29:00.260",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-12 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5760E52D-1708-4C41-B8F3-0348D1F38944",
"versionEndIncluding": "6.5.2-3225",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en download.php en Synology Photo Station en versiones anteriores a la 6.5.3-3226, que permitir\u00eda a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de una ruta completa en el par\u00e1metro id."
}
],
"id": "CVE-2016-10331",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-12T20:29:00.283",
"references": [
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-06-Local-File-Inclusion"
},
{
"source": "security@synology.com",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-06-Local-File-Inclusion"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-10 18:59
Modified
2025-04-20 01:37
Severity ?
Summary
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/oss-sec/2016/q1/236 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.synology.com/en-us/releaseNote/PhotoStation | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/oss-sec/2016/q1/236 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-us/releaseNote/PhotoStation | Release Notes |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8ED2C3F6-2BFE-473A-8D4B-480D508339EE",
"versionEndIncluding": "6.3-2954",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php."
},
{
"lang": "es",
"value": "Synology Photo Station en versiones anteriores a 6.3-2958 permite a los usuarios invitados autenticados remotos ejecutar comandos arbitrarios a trav\u00e9s de metacaracteres de shell en el encabezado HTTP X-Forwarded-For a photo/login.php."
}
],
"id": "CVE-2016-10322",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-10T18:59:00.157",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-30 15:15
Modified
2024-11-21 04:21
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63B04A23-434D-4284-803F-BB550AC27367",
"versionEndExcluding": "6.3-2977",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1D40DE51-B332-485D-8152-000C3E901B74",
"versionEndExcluding": "6.8.11-3489",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de ruta (path) relativa en el archivo SYNO.PhotoStation.File en Synology Photo Station anterior a versi\u00f3n 6.8.11-3489 y anterior a versi\u00f3n 6.3-2977, permite a los atacantes remotos cargar archivos arbitrarios por medio del par\u00e1metro uploadphoto."
}
],
"id": "CVE-2019-11822",
"lastModified": "2024-11-21T04:21:50.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-30T15:15:09.683",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-23 22:29
Modified
2024-11-21 03:16
Severity ?
Summary
Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | 6.8.1-3458 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:6.8.1-3458:*:*:*:*:*:*:*",
"matchCriteriaId": "CE65E503-89C0-46A5-BF53-0EFA176F2E92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode."
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n privada en Photo Viewer en Synology Photo Station 6.8.1-3458 permite que atacantes remotos obtengan metadatos de fotograf\u00edas protegidas con contrase\u00f1a mediante el modo de vista de mapa."
}
],
"id": "CVE-2017-16769",
"lastModified": "2024-11-21T03:16:56.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-23T22:29:00.217",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_76"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_76"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-359"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-08 13:29
Modified
2024-11-21 04:14
Severity ?
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBF9F4EA-7FB0-4C8C-BC49-6AB435E89341",
"versionEndIncluding": "6.3-2975",
"versionStartIncluding": "6.3-2958",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB7E17E9-519F-4E9E-BD76-C469929B3D13",
"versionEndExcluding": "6.8.5-3471",
"versionStartIncluding": "6.8.0-3456",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de expresi\u00f3n regular permisiva en synophoto_dsm_user en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.5-3471 y a la 6.3-2975, permite que usuarios autenticados remotos lleven a cabo ataques de escalado de privilegios mediante el par\u00e1metro fullname."
}
],
"id": "CVE-2018-8926",
"lastModified": "2024-11-21T04:14:37.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-08T13:29:01.470",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-625"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-08 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| security@synology.com | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | 6.3-2967 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD31531-C414-44A3-AE98-4FD62506367A",
"versionEndIncluding": "6.7.2-3429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2967:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5F6615-7773-42A5-9A58-7248D4820E46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de directorio en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos escriban archivos arbitrarios mediante el par\u00e1metro path."
}
],
"id": "CVE-2017-11152",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-08T15:29:07.740",
"references": [
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-10 18:59
Modified
2025-04-20 01:37
Severity ?
Summary
Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/oss-sec/2016/q1/236 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.synology.com/en-us/releaseNote/PhotoStation | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/oss-sec/2016/q1/236 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-us/releaseNote/PhotoStation | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22973E50-510E-4680-B803-529038A4D576",
"versionEndExcluding": "6.3-2958",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a \"synophoto_dsm_user --copy-no-ea\" command."
},
{
"lang": "es",
"value": "Synology Photo Station en versiones anteriores a 6.3-2958 permite a los usuarios locales obtener privilegios aprovechando la ejecuci\u00f3n de setuid de un comando \"synophoto_dsm_user --copy-no-ea\"."
}
],
"id": "CVE-2016-10323",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-10T18:59:00.190",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-22 14:29
Modified
2024-11-21 03:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30430328-602F-4557-BD99-F389E90D9F60",
"versionEndExcluding": "6.8.3-3463",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5809B007-0B00-4658-AAF6-5859BF87318E",
"versionEndExcluding": "6.3-2971",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en Log Viewer en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y anteriores a la 6.3-2971, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el par\u00e1metro username."
}
],
"id": "CVE-2017-16771",
"lastModified": "2024-11-21T03:16:56.457",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-22T14:29:00.487",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-30 15:15
Modified
2024-11-21 04:21
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63B04A23-434D-4284-803F-BB550AC27367",
"versionEndExcluding": "6.3-2977",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1D40DE51-B332-485D-8152-000C3E901B74",
"versionEndExcluding": "6.8.11-3489",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n de SQL en el archivo synophoto_csPhotoDB.php en Synology Photo Station anterior a versi\u00f3n 6.8.11-3489 y anterior a versi\u00f3n 6.3-2977, permite a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del par\u00e1metro type."
}
],
"id": "CVE-2019-11821",
"lastModified": "2024-11-21T04:21:49.913",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-30T15:15:09.603",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-06-18 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B76330ED-12E5-4DB4-90B9-C726A00F9418",
"versionEndIncluding": "6.3-2944",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en Synology Photo Station anterior a 6.3-2945 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s (1) del par\u00e1metro success en login.php o (2) de par\u00e1metros URL manipulados en index.php, tal y como fue demostrado por el par\u00e1metro t en photo/."
}
],
"id": "CVE-2015-4656",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-06-18T18:59:09.007",
"references": [
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2015/May/110"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74816"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.synology.com/en-us/support/security/Photo_Station_2945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2015/May/110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.synology.com/en-us/support/security/Photo_Station_2945"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-06 08:15
Modified
2024-11-21 06:47
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D0E19FDD-C2BB-4A49-AC09-9E2D6B581220",
"versionEndExcluding": "6.8.16-3506",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Fijaci\u00f3n de Sesi\u00f3n en la administraci\u00f3n del control de acceso en Synology Photo Station versiones anteriores a 6.8.16-3506, permite a atacantes remotos omitir las restricciones de seguridad por medio de vectores no especificados"
}
],
"id": "CVE-2022-22681",
"lastModified": "2024-11-21T06:47:15.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-06T08:15:07.047",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_21_26"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_21_26"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-22 14:29
Modified
2024-11-21 03:16
Severity ?
Summary
Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30430328-602F-4557-BD99-F389E90D9F60",
"versionEndExcluding": "6.8.3-3463",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5809B007-0B00-4658-AAF6-5859BF87318E",
"versionEndExcluding": "6.3-2971",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de validaci\u00f3n de entradas incorrecta en PixlrEditorHandler.php en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y a la 6.3-2971, permite que usuarios autenticados remotos ejecuten c\u00f3digo arbitrario mediante el par\u00e1metro prog_id."
}
],
"id": "CVE-2017-16772",
"lastModified": "2024-11-21T03:16:56.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-22T14:29:00.537",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-08 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| security@synology.com | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | 6.3-2967 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD31531-C414-44A3-AE98-4FD62506367A",
"versionEndIncluding": "6.7.2-3429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2967:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5F6615-7773-42A5-9A58-7248D4820E46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de exposici\u00f3n de informaci\u00f3n en index.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos obtengan informaci\u00f3n sensible del sistema mediante vectores sin especificar."
}
],
"id": "CVE-2017-11155",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-08T15:29:07.837",
"references": [
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-205"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-24 19:29
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0F89C6A8-C2CF-4C09-A4D1-BF23B7237DE4",
"versionEndIncluding": "6.6.3-3347",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter."
},
{
"lang": "es",
"value": "Una vulnerabildad de tipo Cross-Site Scripting (XSS) en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.0-3414 permite que atacantes remotos inyecten script web o HTML arbitrario mediante el par\u00e1metro image."
}
],
"id": "CVE-2017-9555",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-24T19:29:00.280",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-02 02:15
Modified
2024-11-21 06:00
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4624656-B826-4A6B-B53D-185153937C0B",
"versionEndExcluding": "6.8.14-3500",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de limitaci\u00f3n inapropiada de un nombre de ruta a un directorio restringido (\"Path Traversal\") en el componente file management en Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios remotos autenticados escribir archivos arbitrarios por medio de vectores no especificados"
}
],
"id": "CVE-2021-29091",
"lastModified": "2024-11-21T06:00:41.807",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-02T02:15:07.017",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-10-31 16:29
Modified
2024-11-21 03:46
Severity ?
5.6 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEE26574-62F0-48B6-8839-2B07EE54E721",
"versionEndExcluding": "6.3-2976",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0B7C5B92-22D2-4775-92DD-5876A2E5479E",
"versionEndExcluding": "6.8.7-3481",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en SYNO.PhotoStation.Auth en Synology Photo Station en versiones anteriores a la 6.8.7-3481 permite que atacantes remotos secuestren sesiones web mediante el par\u00e1metro PHPSESSID."
}
],
"id": "CVE-2018-13282",
"lastModified": "2024-11-21T03:46:45.160",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.4,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-31T16:29:00.393",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_37"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-08 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23EC868E-F493-4A58-B3D5-0D05F33725FD",
"versionEndIncluding": "6.3-2967",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9EDAA6AE-EA8A-4B2E-A36D-9EBC48BFC485",
"versionEndIncluding": "6.7.3-3432",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad Server-Side Request Forgery (SSRF) en file_upload.php en Synology Photo Station en versiones anteriores a la 6.7.4-3433 y 6.3-2968 permite que usuarios remotos autenticados descarguen archivos locales arbitrarios mediante el par\u00e1metro url."
}
],
"id": "CVE-2017-12071",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-08T14:29:00.290",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-12 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5760E52D-1708-4C41-B8F3-0348D1F38944",
"versionEndIncluding": "6.5.2-3225",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en synophoto_dsm_user, un programa SUID, tal como se utiliza en Synology Photo Station en versiones anteriores a la 6.5.3-3226, permite a usuarios locales escribir en ficheros arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-10330",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-12T20:29:00.250",
"references": [
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files"
},
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation"
},
{
"source": "security@synology.com",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-08 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| security@synology.com | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | 6.3-2967 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD31531-C414-44A3-AE98-4FD62506367A",
"versionEndIncluding": "6.7.2-3429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2967:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5F6615-7773-42A5-9A58-7248D4820E46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de subida de archivos sin restricciones en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos creen scripts PHP arbitrarios mediante el par\u00e1metro type."
}
],
"id": "CVE-2017-11154",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-08T15:29:07.803",
"references": [
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-04 19:29
Modified
2025-04-20 01:37
Severity ?
Summary
Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3E77F1B7-8AD1-42F5-BA8A-9F278100756B",
"versionEndExcluding": "6.8.1-3458",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4ECA6-0266-475F-8D42-508B7F4F12EF",
"versionEndExcluding": "6.3-2970",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field."
},
{
"lang": "es",
"value": "Vulnerabilidad de archivos o directorios accesibles para terceros en picasa.php en Synology Photo Station en versiones anteriores a la 6.8.1-3458 y a la 6.3-2970 permite que atacantes remotos obtengan archivos arbitrarios mediante el campo prog_id."
}
],
"id": "CVE-2017-12079",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-04T19:29:00.220",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-06-13 13:29
Modified
2025-04-20 01:37
Severity ?
Summary
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html | Issue Tracking, Third Party Advisory | |
| security@synology.com | https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | 6.0-2528 | |
| synology | photo_station | 6.0-2636 | |
| synology | photo_station | 6.0-2638 | |
| synology | photo_station | 6.0-2639 | |
| synology | photo_station | 6.0-2640 | |
| synology | photo_station | 6.3-2944 | |
| synology | photo_station | 6.3-2958 | |
| synology | photo_station | 6.3-2960 | |
| synology | photo_station | 6.3-2962 | |
| synology | photo_station | 6.3-2963 | |
| synology | photo_station | 6.3-2964 | |
| synology | photo_station | 6.3-2965 | |
| synology | photo_station | 6.4-3166 | |
| synology | photo_station | 6.5.0-3218 | |
| synology | photo_station | 6.5.1-3223 | |
| synology | photo_station | 6.5.2-3225 | |
| synology | photo_station | 6.5.3-3226 | |
| synology | photo_station | 6.6.0-3339 | |
| synology | photo_station | 6.6.1-3345 | |
| synology | photo_station | 6.6.1-3346 | |
| synology | photo_station | 6.6.2-3346 | |
| synology | photo_station | 6.6.3-3347 | |
| synology | photo_station | 6.7.0-3414 | |
| synology | photo_station | 6.7.1-3419 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:6.0-2528:*:*:*:*:*:*:*",
"matchCriteriaId": "CEE9CF02-0D29-4E25-940D-ABA70396800E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.0-2636:*:*:*:*:*:*:*",
"matchCriteriaId": "4E5CB965-0DB4-470C-810F-93255FD6EE62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.0-2638:*:*:*:*:*:*:*",
"matchCriteriaId": "0AF0D228-FAD1-44AF-A103-CF4157ADB687",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.0-2639:*:*:*:*:*:*:*",
"matchCriteriaId": "DD30021D-5B1B-4694-AAAB-DA87991B4B7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.0-2640:*:*:*:*:*:*:*",
"matchCriteriaId": "BA2F2249-CBAA-48AD-94DF-2CF34D44A436",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2944:*:*:*:*:*:*:*",
"matchCriteriaId": "EF213FE4-EE94-41A0-B240-F3F66253380D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2958:*:*:*:*:*:*:*",
"matchCriteriaId": "56C66145-57EC-4482-A60A-5C91655ED43F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2960:*:*:*:*:*:*:*",
"matchCriteriaId": "612BD0F4-09E4-46F6-8069-628DC5F14C70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2962:*:*:*:*:*:*:*",
"matchCriteriaId": "314BBF84-AAFD-4B8B-8C7C-BEA9A7D86D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2963:*:*:*:*:*:*:*",
"matchCriteriaId": "75FAA458-4EF1-4B7C-9321-8838C29C6111",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2964:*:*:*:*:*:*:*",
"matchCriteriaId": "DA143091-3E14-4A11-B8AD-21685EBCE77E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2965:*:*:*:*:*:*:*",
"matchCriteriaId": "AFB960C1-0182-4711-ADC2-D15E7EE73EC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.4-3166:*:*:*:*:*:*:*",
"matchCriteriaId": "58249851-948D-456A-9D92-816CF9D03D43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.5.0-3218:*:*:*:*:*:*:*",
"matchCriteriaId": "A27B802A-2213-410B-A517-1EA03B4B3A5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.5.1-3223:*:*:*:*:*:*:*",
"matchCriteriaId": "82DCC751-6662-44AC-869C-D25D3B17C8F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.5.2-3225:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCD0E8C-A452-455B-ADD3-C162B684BB6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.5.3-3226:*:*:*:*:*:*:*",
"matchCriteriaId": "A7671D8F-19B2-44FA-A4F2-1A87C831944B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.6.0-3339:*:*:*:*:*:*:*",
"matchCriteriaId": "7090BCE8-A479-4FE6-8771-6B5C3385DD0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.6.1-3345:*:*:*:*:*:*:*",
"matchCriteriaId": "FA0BAE16-43E4-47F5-AA0B-83B671BDAE7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.6.1-3346:*:*:*:*:*:*:*",
"matchCriteriaId": "1202C8C4-0E03-4BA6-8644-85294B4B6A47",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.6.2-3346:*:*:*:*:*:*:*",
"matchCriteriaId": "184D0C67-4C56-4E6F-AC09-A7AE8AFEF538",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.6.3-3347:*:*:*:*:*:*:*",
"matchCriteriaId": "C8A45D93-2194-44C0-8F9E-16F07D6221A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.7.0-3414:*:*:*:*:*:*:*",
"matchCriteriaId": "12F484A6-FAF7-405D-938F-6747C07954B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.7.1-3419:*:*:*:*:*:*:*",
"matchCriteriaId": "ECEE3B09-FBBF-476A-AACA-07CF2C047734",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by \"synophoto_dsm_user --auth USERNAME PASSWORD\", and local users are able to obtain credentials by sniffing \"/proc/*/cmdline\"."
},
{
"lang": "es",
"value": "Un fallo de dise\u00f1o en la autenticaci\u00f3n en Synology Photo Station de la versi\u00f3n 6.0-2528 a la 6.7.1-3419 permite que usuarios locales obtengan credenciales mediante cmdline. Synology Photo Station emplea el programa synophoto_dsm_user para autenticar el nombre de usuario y la contrase\u00f1a por \"synophoto_dsm_user --auth USERNAME PASSWORD\" y los usuarios locales pueden obtener credenciales rastreando \"/proc/*/cmdline\"."
}
],
"id": "CVE-2017-9552",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-06-13T13:29:00.173",
"references": [
{
"source": "security@synology.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html"
},
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-02 03:15
Modified
2024-11-21 06:00
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4624656-B826-4A6B-B53D-185153937C0B",
"versionEndExcluding": "6.8.14-3500",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de neutralizaci\u00f3n inapropiada de los elementos especiales usados en un comando SQL (\"SQL Injection\") en el componente thumbnail de Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios atacantes remotos ejecutar comandos SQL arbitrarios por medio de vectores no especificados"
}
],
"id": "CVE-2021-29089",
"lastModified": "2024-11-21T06:00:41.547",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-02T03:15:06.647",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-08 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| security@synology.com | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | 6.3-2967 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD31531-C414-44A3-AE98-4FD62506367A",
"versionEndIncluding": "6.7.2-3429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2967:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5F6615-7773-42A5-9A58-7248D4820E46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de deserializaci\u00f3n en synophoto_csPhotoMisc.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos consigan privilegios de administrador mediante un payload de dise\u00f1o serializado manipulado."
}
],
"id": "CVE-2017-11153",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-08T15:29:07.773",
"references": [
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-01 14:15
Modified
2024-11-21 06:00
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4624656-B826-4A6B-B53D-185153937C0B",
"versionEndExcluding": "6.8.14-3500",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de carga sin restricciones de archivos de tipo peligroso en el componente file management en Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios autenticados remotos ejecutar c\u00f3digo arbitrario por medio de vectores no especificados"
}
],
"id": "CVE-2021-29092",
"lastModified": "2024-11-21T06:00:41.927",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-01T14:15:09.807",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-05-12 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5760E52D-1708-4C41-B8F3-0348D1F38944",
"versionEndIncluding": "6.5.2-3225",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted \u0027X-Forwarded-For\u0027 header."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n de comandos en login.php en Synology Photo Station en versiones anteriores a la 6.5.3-3226, que permitir\u00eda a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s metacaracteres de shell en una cabecera \u0027X-Forwarded-For\u0027 manipulada."
}
],
"id": "CVE-2016-10329",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-12T20:29:00.203",
"references": [
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password"
},
{
"source": "security@synology.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution"
},
{
"source": "security@synology.com",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-12-20 18:29
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13AF904B-9CBE-4125-8201-1B2FE1C0ADFC",
"versionEndExcluding": "6.8.0-3456",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.8.0-3456 permite que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el par\u00e1metro id."
}
],
"id": "CVE-2017-12072",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-20T18:29:00.230",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_80"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_80"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-08 15:29
Modified
2025-04-20 01:37
Severity ?
Summary
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| security@synology.com | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/42434/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | 6.3-2967 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD31531-C414-44A3-AE98-4FD62506367A",
"versionEndIncluding": "6.7.2-3429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:6.3-2967:*:*:*:*:*:*:*",
"matchCriteriaId": "DE5F6615-7773-42A5-9A58-7248D4820E46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action."
},
{
"lang": "es",
"value": "Una vulnerabilidad en synotheme_upload.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos suban archivos arbitrarios sin autenticaci\u00f3n mediante la acci\u00f3n logo_upload."
}
],
"id": "CVE-2017-11151",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-08T15:29:07.710",
"references": [
{
"source": "security@synology.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/42434/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-08 13:29
Modified
2024-11-21 04:14
Severity ?
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F9BA62F-A966-4CC8-AEAB-25F1AC30CEC4",
"versionEndExcluding": "6.3-2975",
"versionStartIncluding": "6.3-2944",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB7E17E9-519F-4E9E-BD76-C469929B3D13",
"versionEndExcluding": "6.8.5-3471",
"versionStartIncluding": "6.8.0-3456",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Request Forgery (CSRF) en admin/user.php en Synology Photo Station en versiones anteriores a la 6.8.5-3471 y anteriores a la 6.3-2975 permite que atacantes remotos secuestren la autenticaci\u00f3n de los administradores mediante los par\u00e1metros (1) username, (2) password, (3) admin, (4) action, (5) uid o (6) modify_admin."
}
],
"id": "CVE-2018-8925",
"lastModified": "2024-11-21T04:14:36.957",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-08T13:29:01.297",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-02 02:15
Modified
2024-11-21 06:00
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F4624656-B826-4A6B-B53D-185153937C0B",
"versionEndExcluding": "6.8.14-3500",
"versionStartIncluding": "6.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors."
},
{
"lang": "es",
"value": "Una vulnerabilidad de neutralizaci\u00f3n inapropiada de los elementos especiales usados en un comando SQL (\"SQL Injection\") en el componente PHP en Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios remotos autenticados ejecutar un comando SQL arbitrario por medio de vectores no especificados"
}
],
"id": "CVE-2021-29090",
"lastModified": "2024-11-21T06:00:41.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-02T02:15:06.960",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-09-08 14:29
Modified
2025-04-20 01:37
Severity ?
Summary
Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photo_station | * | |
| synology | photo_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23EC868E-F493-4A58-B3D5-0D05F33725FD",
"versionEndIncluding": "6.3-2967",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9EDAA6AE-EA8A-4B2E-A36D-9EBC48BFC485",
"versionEndIncluding": "6.7.3-3432",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php."
},
{
"lang": "es",
"value": "Existen m\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Synology Photo Station en versiones anteriores a la 6.7.4-3433 y 6.3-2968 que permiten que los atacantes remotos ejecuten comandos SQL arbitrarios mediante (1) el par\u00e1metro article_id en label.php; o (2) el par\u00e1metro type en synotheme.php."
}
],
"id": "CVE-2017-11161",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-08T14:29:00.213",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2018-8926 (GCVE-0-2018-8926)
Vulnerability from cvelistv5
Published
2018-06-08 13:00
Modified
2024-09-16 19:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-625 - Permissive Regular Expression ()
Summary
Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: unspecified < 6.8.5-3471 Version: unspecified < 6.3-2975 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.5-3471",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "6.3-2975",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-06-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-625",
"description": "Permissive Regular Expression (CWE-625)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-08T12:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2018-06-08T00:00:00",
"ID": "CVE-2018-8926",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.5-3471"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.3-2975"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Permissive Regular Expression (CWE-625)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15",
"refsource": "CONFIRM",
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2018-8926",
"datePublished": "2018-06-08T13:00:00Z",
"dateReserved": "2018-03-22T00:00:00",
"dateUpdated": "2024-09-16T19:04:50.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10322 (GCVE-0-2016-10322)
Vulnerability from cvelistv5
Published
2017-04-10 18:00
Modified
2024-09-16 23:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:42.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-10T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10322",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-us/releaseNote/PhotoStation",
"refsource": "MISC",
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"name": "http://seclists.org/oss-sec/2016/q1/236",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10322",
"datePublished": "2017-04-10T18:00:00Z",
"dateReserved": "2017-04-10T00:00:00Z",
"dateUpdated": "2024-09-16T23:40:50.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16772 (GCVE-0-2017-16772)
Vulnerability from cvelistv5
Published
2018-03-22 14:00
Modified
2024-09-17 04:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type ()
Summary
Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: before 6.8.3-3463 Version: before 6.3-2971 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:20.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.8.3-3463"
},
{
"status": "affected",
"version": "before 6.3-2971"
}
]
}
],
"datePublic": "2018-03-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type (CWE-434)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T13:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2018-03-22T00:00:00",
"ID": "CVE-2017-16772",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.8.3-3463"
},
{
"version_value": "before 6.3-2971"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unrestricted Upload of File with Dangerous Type (CWE-434)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_18_02",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-16772",
"datePublished": "2018-03-22T14:00:00Z",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-09-17T04:23:49.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11162 (GCVE-0-2017-11162)
Vulnerability from cvelistv5
Published
2017-09-08 14:00
Modified
2024-09-16 23:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ()
Summary
Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.4-3433 and 6.3-2968 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.917Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.4-3433 and 6.3-2968"
}
]
}
],
"datePublic": "2017-09-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-08T13:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-09-08T00:00:00",
"ID": "CVE-2017-11162",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.4-3433 and 6.3-2968"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11162",
"datePublished": "2017-09-08T14:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-16T23:11:46.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9555 (GCVE-0-2017-9555)
Vulnerability from cvelistv5
Published
2017-08-24 19:00
Modified
2024-09-17 03:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ()
Summary
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.0-3414 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.0-3414"
}
]
}
],
"datePublic": "2017-08-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-24T18:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-08-24T00:00:00",
"ID": "CVE-2017-9555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.0-3414"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-9555",
"datePublished": "2017-08-24T19:00:00Z",
"dateReserved": "2017-06-12T00:00:00",
"dateUpdated": "2024-09-17T03:44:20.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29091 (GCVE-0-2021-29091)
Vulnerability from cvelistv5
Published
2021-06-02 02:00
Modified
2024-09-16 17:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: unspecified < 6.8.14-3500 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.348Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.14-3500",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-02T02:00:10",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2021-06-01T09:53:43.569888",
"ID": "CVE-2021-29091",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.14-3500"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper limitation of a pathname to a restricted directory (\u0027Path Traversal\u0027) vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"baseScore": "7.7",
"vectorString": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_20_20",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2021-29091",
"datePublished": "2021-06-02T02:00:11.061223Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-16T17:17:50.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11161 (GCVE-0-2017-11161)
Vulnerability from cvelistv5
Published
2017-09-08 14:00
Modified
2024-09-16 16:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ()
Summary
Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.4-3433 and 6.3-2968 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.4-3433 and 6.3-2968"
}
]
}
],
"datePublic": "2017-09-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (CWE-89)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-08T13:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-09-08T00:00:00",
"ID": "CVE-2017-11161",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.4-3433 and 6.3-2968"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in an SQL Command (CWE-89)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11161",
"datePublished": "2017-09-08T14:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-16T16:49:11.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11151 (GCVE-0-2017-11151)
Vulnerability from cvelistv5
Published
2017-08-08 15:00
Modified
2024-09-16 16:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication ()
Summary
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.3-3432 and 6.3-2967 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.3-3432 and 6.3-2967"
}
]
}
],
"datePublic": "2017-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication (CWE-287)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-11T15:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-07-31T00:00:00",
"ID": "CVE-2017-11151",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.3-3432 and 6.3-2967"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authentication (CWE-287)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42434/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11151",
"datePublished": "2017-08-08T15:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-16T16:52:46.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12079 (GCVE-0-2017-12079)
Vulnerability from cvelistv5
Published
2017-12-04 19:00
Modified
2024-09-16 18:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties ()
Summary
Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: before 6.8.1-3458 Version: before 6.3-2970 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:15.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.8.1-3458"
},
{
"status": "affected",
"version": "before 6.3-2970"
}
]
}
],
"datePublic": "2017-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "Files or Directories Accessible to External Parties (CWE-552)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-04T18:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-11-06T00:00:00",
"ID": "CVE-2017-12079",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.8.1-3458"
},
{
"version_value": "before 6.3-2970"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Files or Directories Accessible to External Parties (CWE-552)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-12079",
"datePublished": "2017-12-04T19:00:00Z",
"dateReserved": "2017-07-31T00:00:00",
"dateUpdated": "2024-09-16T18:19:19.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16771 (GCVE-0-2017-16771)
Vulnerability from cvelistv5
Published
2018-03-22 14:00
Modified
2024-09-16 18:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ()
Summary
Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: before 6.8.3-3463 Version: before 6.3-2971 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:20.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.8.3-3463"
},
{
"status": "affected",
"version": "before 6.3-2971"
}
]
}
],
"datePublic": "2018-03-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-22T13:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2018-03-22T00:00:00",
"ID": "CVE-2017-16771",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.8.3-3463"
},
{
"version_value": "before 6.3-2971"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_18_02",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-16771",
"datePublished": "2018-03-22T14:00:00Z",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-09-16T18:38:52.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11152 (GCVE-0-2017-11152)
Vulnerability from cvelistv5
Published
2017-08-08 15:00
Modified
2024-09-16 20:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ()
Summary
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.3-3432 and 6.3-2967 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.3-3432 and 6.3-2967"
}
]
}
],
"datePublic": "2017-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-11T15:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-07-31T00:00:00",
"ID": "CVE-2017-11152",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.3-3432 and 6.3-2967"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Limitation of a Pathname to a Restricted Directory (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42434/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11152",
"datePublished": "2017-08-08T15:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-16T20:41:43.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4656 (GCVE-0-2015-4656)
Vulnerability from cvelistv5
Published
2015-06-18 18:00
Modified
2024-08-06 06:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "74816",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74816"
},
{
"name": "20150525 Synology Photo Station multiple Cross-Site Scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/May/110"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-us/support/security/Photo_Station_2945"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "74816",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74816"
},
{
"name": "20150525 Synology Photo Station multiple Cross-Site Scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/May/110"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-us/support/security/Photo_Station_2945"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4656",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "74816",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74816"
},
{
"name": "20150525 Synology Photo Station multiple Cross-Site Scripting vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/May/110"
},
{
"name": "https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html",
"refsource": "MISC",
"url": "https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html"
},
{
"name": "https://www.synology.com/en-us/support/security/Photo_Station_2945",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-us/support/security/Photo_Station_2945"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4656",
"datePublished": "2015-06-18T18:00:00",
"dateReserved": "2015-06-18T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11822 (GCVE-0-2019-11822)
Vulnerability from cvelistv5
Published
2019-06-30 15:00
Modified
2024-09-17 02:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal ()
Summary
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: unspecified < 6.8.11-3489 Version: unspecified < 6.3-2977 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.11-3489",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "6.3-2977",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "Relative Path Traversal (CWE-23)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-30T15:00:22",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2019-06-30T00:00:00",
"ID": "CVE-2019-11822",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.11-3489"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.3-2977"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Relative Path Traversal (CWE-23)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_19_01",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2019-11822",
"datePublished": "2019-06-30T15:00:22.668296Z",
"dateReserved": "2019-05-08T00:00:00",
"dateUpdated": "2024-09-17T02:41:18.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10323 (GCVE-0-2016-10323)
Vulnerability from cvelistv5
Published
2017-04-10 18:00
Modified
2024-09-16 22:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:43.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a \"synophoto_dsm_user --copy-no-ea\" command."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-10T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10323",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a \"synophoto_dsm_user --copy-no-ea\" command."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-us/releaseNote/PhotoStation",
"refsource": "MISC",
"url": "https://www.synology.com/en-us/releaseNote/PhotoStation"
},
{
"name": "http://seclists.org/oss-sec/2016/q1/236",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10323",
"datePublished": "2017-04-10T18:00:00Z",
"dateReserved": "2017-04-10T00:00:00Z",
"dateUpdated": "2024-09-16T22:15:48.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10330 (GCVE-0-2016-10330)
Vulnerability from cvelistv5
Published
2017-05-12 20:00
Modified
2024-08-06 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Directory Traversal (); Privilege Escalation (CWE-269)
Summary
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: All versions prior to version 6.5.3-3226 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:43.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"name": "[oss-security] 20160128 CVE request: Synology Photo Station command injection and privilege escalation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 6.5.3-3226"
}
]
}
],
"datePublic": "2016-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Directory Traversal (CWE-22); Privilege Escalation (CWE-269)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-12T19:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"name": "[oss-security] 20160128 CVE request: Synology Photo Station command injection and privilege escalation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"ID": "CVE-2016-10330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 6.5.3-3226"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory Traversal (CWE-22); Privilege Escalation (CWE-269)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation",
"refsource": "MISC",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation"
},
{
"name": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files",
"refsource": "MISC",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files"
},
{
"name": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"name": "[oss-security] 20160128 CVE request: Synology Photo Station command injection and privilege escalation",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2016-10330",
"datePublished": "2017-05-12T20:00:00",
"dateReserved": "2017-04-18T00:00:00",
"dateUpdated": "2024-08-06T03:14:43.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8925 (GCVE-0-2018-8925)
Vulnerability from cvelistv5
Published
2018-06-08 13:00
Modified
2024-09-16 23:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross Site Request Forgery (CSRF)
Summary
Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: unspecified < 6.8.5-3471 Version: unspecified < 6.3-2975 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.5-3471",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "6.3-2975",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-06-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Request Forgery (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-08T12:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2018-06-08T00:00:00",
"ID": "CVE-2018-8925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.5-3471"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.3-2975"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15",
"refsource": "CONFIRM",
"url": "https://www.synology.com/zh-tw/support/security/Synology_SA_18_15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2018-8925",
"datePublished": "2018-06-08T13:00:00Z",
"dateReserved": "2018-03-22T00:00:00",
"dateUpdated": "2024-09-16T23:16:56.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12072 (GCVE-0-2017-12072)
Vulnerability from cvelistv5
Published
2017-12-20 18:00
Modified
2024-09-17 01:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ()
Summary
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: before 6.8.0-3456 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:16.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_80"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.8.0-3456"
}
]
}
],
"datePublic": "2017-12-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-20T17:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_80"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-12-20T00:00:00",
"ID": "CVE-2017-12072",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.8.0-3456"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_80",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_80"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-12072",
"datePublished": "2017-12-20T18:00:00Z",
"dateReserved": "2017-07-31T00:00:00",
"dateUpdated": "2024-09-17T01:36:39.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11154 (GCVE-0-2017-11154)
Vulnerability from cvelistv5
Published
2017-08-08 15:00
Modified
2024-09-17 00:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type ()
Summary
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.3-3432 and 6.3-2967 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:57.677Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.3-3432 and 6.3-2967"
}
]
}
],
"datePublic": "2017-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type (CWE-434)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-11T15:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-07-31T00:00:00",
"ID": "CVE-2017-11154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.3-3432 and 6.3-2967"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unrestricted Upload of File with Dangerous Type (CWE-434)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42434/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11154",
"datePublished": "2017-08-08T15:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-17T00:26:07.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11155 (GCVE-0-2017-11155)
Vulnerability from cvelistv5
Published
2017-08-08 15:00
Modified
2024-09-17 00:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-205 - Information Exposure Through Behavioral Discrepancy ()
Summary
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.3-3432 and 6.3-2967 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:58.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.3-3432 and 6.3-2967"
}
]
}
],
"datePublic": "2017-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-205",
"description": "Information Exposure Through Behavioral Discrepancy (CWE-205)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-11T15:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-07-31T00:00:00",
"ID": "CVE-2017-11155",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.3-3432 and 6.3-2967"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure Through Behavioral Discrepancy (CWE-205)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42434/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11155",
"datePublished": "2017-08-08T15:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-17T00:46:54.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29090 (GCVE-0-2021-29090)
Vulnerability from cvelistv5
Published
2021-06-02 02:00
Modified
2024-09-17 03:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: unspecified < 6.8.14-3500 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.14-3500",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-02T02:00:14",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2021-06-01T10:05:52.780596",
"ID": "CVE-2021-29090",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.14-3500"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"baseScore": "7.2",
"vectorString": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_20_20",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2021-29090",
"datePublished": "2021-06-02T02:00:14.204878Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-17T03:29:04.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29089 (GCVE-0-2021-29089)
Vulnerability from cvelistv5
Published
2021-06-02 02:15
Modified
2024-09-16 21:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: unspecified < 6.8.14-3500 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:55:12.680Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.14-3500",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-06-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-02T02:15:09",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2021-06-02T01:54:33.723512",
"ID": "CVE-2021-29089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.14-3500"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"baseScore": "9.8",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_20_20",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2021-29089",
"datePublished": "2021-06-02T02:15:10.069846Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-16T21:04:38.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9552 (GCVE-0-2017-9552)
Vulnerability from cvelistv5
Published
2017-06-13 13:00
Modified
2024-08-05 17:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials ()
Summary
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: 6.0-2528 through 6.7.1-3419 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "6.0-2528 through 6.7.1-3419"
}
]
}
],
"datePublic": "2017-06-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by \"synophoto_dsm_user --auth USERNAME PASSWORD\", and local users are able to obtain credentials by sniffing \"/proc/*/cmdline\"."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "Insufficiently Protected Credentials (CWE-522)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-13T12:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"ID": "CVE-2017-9552",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "6.0-2528 through 6.7.1-3419"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by \"synophoto_dsm_user --auth USERNAME PASSWORD\", and local users are able to obtain credentials by sniffing \"/proc/*/cmdline\"."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficiently Protected Credentials (CWE-522)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Photo_Station_CVE_2017_9552"
},
{
"name": "http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html",
"refsource": "MISC",
"url": "http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-9552",
"datePublished": "2017-06-13T13:00:00",
"dateReserved": "2017-06-12T00:00:00",
"dateUpdated": "2024-08-05T17:11:02.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16769 (GCVE-0-2017-16769)
Vulnerability from cvelistv5
Published
2018-02-23 22:00
Modified
2024-09-17 00:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-359 - Exposure of Private Information ()
Summary
Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: 6.8.1-3458 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_76"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "6.8.1-3458"
}
]
}
],
"datePublic": "2010-12-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "Exposure of Private Information (CWE-359)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-23T21:57:02",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_76"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2010-12-07T00:00:00",
"ID": "CVE-2017-16769",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "6.8.1-3458"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Exposure of Private Information (CWE-359)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_76",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_76"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-16769",
"datePublished": "2018-02-23T22:00:00Z",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-09-17T00:36:17.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29092 (GCVE-0-2021-29092)
Vulnerability from cvelistv5
Published
2021-06-01 09:45
Modified
2024-09-16 19:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: unspecified < 6.8.14-3500 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:50.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.14-3500",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T09:45:16",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2021-05-31T04:09:41.811214",
"ID": "CVE-2021-29092",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.14-3500"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"baseScore": "8.8",
"vectorString": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_20_20",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_20"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2021-29092",
"datePublished": "2021-06-01T09:45:16.520011Z",
"dateReserved": "2021-03-23T00:00:00",
"dateUpdated": "2024-09-16T19:05:47.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11153 (GCVE-0-2017-11153)
Vulnerability from cvelistv5
Published
2017-08-08 15:00
Modified
2024-09-16 17:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data ()
Summary
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.3-3432 and 6.3-2967 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:57:58.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.3-3432 and 6.3-2967"
}
]
}
],
"datePublic": "2017-07-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-11T15:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/42434/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-07-31T00:00:00",
"ID": "CVE-2017-11153",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.3-3432 and 6.3-2967"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data (CWE-502)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation"
},
{
"name": "42434",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/42434/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-11153",
"datePublished": "2017-08-08T15:00:00Z",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-09-16T17:47:41.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12071 (GCVE-0-2017-12071)
Vulnerability from cvelistv5
Published
2017-09-08 14:00
Modified
2024-09-17 02:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery ()
Summary
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: before 6.7.4-3433 and 6.3-2968 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:15.785Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.7.4-3433 and 6.3-2968"
}
]
}
],
"datePublic": "2017-09-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-08T13:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-09-08T00:00:00",
"ID": "CVE-2017-12071",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.7.4-3433 and 6.3-2968"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (CWE-918)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-12071",
"datePublished": "2017-09-08T14:00:00Z",
"dateReserved": "2017-07-31T00:00:00",
"dateUpdated": "2024-09-17T02:15:37.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10329 (GCVE-0-2016-10329)
Vulnerability from cvelistv5
Published
2017-05-12 20:00
Modified
2024-08-06 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Arbitrary Code Execution ()
Summary
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: All versions prior to version 6.5.3-3226 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:42.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution"
},
{
"name": "[oss-security] 20160128 CVE request: Synology Photo Station command injection and privilege escalation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 6.5.3-3226"
}
]
}
],
"datePublic": "2016-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted \u0027X-Forwarded-For\u0027 header."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Arbitrary Code Execution (CWE-77)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-12T19:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution"
},
{
"name": "[oss-security] 20160128 CVE request: Synology Photo Station command injection and privilege escalation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"ID": "CVE-2016-10329",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 6.5.3-3226"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted \u0027X-Forwarded-For\u0027 header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Arbitrary Code Execution (CWE-77)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"name": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password",
"refsource": "MISC",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-01-PhotoStation-Login-without-password"
},
{
"name": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution",
"refsource": "MISC",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-02-PhotoStation-Remote-Code-Execution"
},
{
"name": "[oss-security] 20160128 CVE request: Synology Photo Station command injection and privilege escalation",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2016/q1/236"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2016-10329",
"datePublished": "2017-05-12T20:00:00",
"dateReserved": "2017-04-18T00:00:00",
"dateUpdated": "2024-08-06T03:14:42.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-12080 (GCVE-0-2017-12080)
Vulnerability from cvelistv5
Published
2017-12-04 19:00
Modified
2024-09-16 16:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure ()
Summary
An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: before 6.8.1-3458 Version: before 6.3-2970 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:28:16.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 6.8.1-3458"
},
{
"status": "affected",
"version": "before 6.3-2970"
}
]
}
],
"datePublic": "2017-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Exposure (CWE-200)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-04T18:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-11-06T00:00:00",
"ID": "CVE-2017-12080",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"version_value": "before 6.8.1-3458"
},
{
"version_value": "before 6.3-2970"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure (CWE-200)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-12080",
"datePublished": "2017-12-04T19:00:00Z",
"dateReserved": "2017-07-31T00:00:00",
"dateUpdated": "2024-09-16T16:58:09.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-13282 (GCVE-0-2018-13282)
Vulnerability from cvelistv5
Published
2018-10-31 16:00
Modified
2024-09-16 20:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-384 - Session Fixation ()
Summary
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: unspecified < 6.8.7-3481 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:34.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_37"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.7-3481",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-10-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "Session Fixation (CWE-384)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-31T15:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_37"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2018-10-31T00:00:00",
"ID": "CVE-2018-13282",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.7-3481"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Session Fixation (CWE-384)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_18_37",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_37"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2018-13282",
"datePublished": "2018-10-31T16:00:00Z",
"dateReserved": "2018-07-05T00:00:00",
"dateUpdated": "2024-09-16T20:07:10.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22681 (GCVE-0-2022-22681)
Vulnerability from cvelistv5
Published
2022-07-06 07:35
Modified
2024-09-16 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-384 - Session Fixation
Summary
Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: unspecified < 6.8.16-3506 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:21:48.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_21_26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.16-3506",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-07-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-06T07:35:10",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_21_26"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2022-07-04T14:57:41.410632",
"ID": "CVE-2022-22681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.16-3506"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors."
}
]
},
"impact": {
"cvss": {
"baseScore": "8.1",
"vectorString": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-384: Session Fixation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_21_26",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_21_26"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2022-22681",
"datePublished": "2022-07-06T07:35:10.641885Z",
"dateReserved": "2022-01-05T00:00:00",
"dateUpdated": "2024-09-16T16:18:01.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10331 (GCVE-0-2016-10331)
Vulnerability from cvelistv5
Published
2017-05-12 20:00
Modified
2024-08-06 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Directory Traversal ()
Summary
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Synology Photo Station |
Version: All versions prior to version 6.5.3-3226 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:14:42.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-06-Local-File-Inclusion"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 6.5.3-3226"
}
]
}
],
"datePublic": "2016-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Directory Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-12T19:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-06-Local-File-Inclusion"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"ID": "CVE-2016-10331",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Synology Photo Station",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 6.5.3-3226"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226"
},
{
"name": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-06-Local-File-Inclusion",
"refsource": "MISC",
"url": "https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-06-Local-File-Inclusion"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2016-10331",
"datePublished": "2017-05-12T20:00:00",
"dateReserved": "2017-04-18T00:00:00",
"dateUpdated": "2024-08-06T03:14:42.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9102 (GCVE-0-2015-9102)
Vulnerability from cvelistv5
Published
2017-06-30 13:00
Modified
2024-09-17 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross Site Scripting ()
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: 6.0 Version: 6.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:31.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-104"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-109"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-112"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-103"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"status": "affected",
"version": "6.3"
}
]
}
],
"datePublic": "2015-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T12:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-104"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-109"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-112"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-103"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2015-12-13T00:00:00",
"ID": "CVE-2015-9102",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"version_value": "6.0"
},
{
"version_value": "6.3"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.fortiguard.com/zeroday/FG-VD-15-104",
"refsource": "MISC",
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-104"
},
{
"name": "http://www.fortiguard.com/zeroday/FG-VD-15-109",
"refsource": "MISC",
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-109"
},
{
"name": "http://www.fortiguard.com/zeroday/FG-VD-15-112",
"refsource": "MISC",
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-112"
},
{
"name": "https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962"
},
{
"name": "http://www.fortiguard.com/zeroday/FG-VD-15-103",
"refsource": "MISC",
"url": "http://www.fortiguard.com/zeroday/FG-VD-15-103"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2015-9102",
"datePublished": "2017-06-30T13:00:00Z",
"dateReserved": "2017-06-29T00:00:00",
"dateUpdated": "2024-09-17T03:14:38.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11821 (GCVE-0-2019-11821)
Vulnerability from cvelistv5
Published
2019-06-30 15:00
Modified
2024-09-17 01:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ()
Summary
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Photo Station |
Version: unspecified < 6.8.11-3489 Version: unspecified < 6.3-2977 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:03:32.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Photo Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "6.8.11-3489",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "6.3-2977",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-06-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (CWE-89)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-30T15:00:22",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2019-06-30T00:00:00",
"ID": "CVE-2019-11821",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Photo Station",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.8.11-3489"
},
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "6.3-2977"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Special Elements used in an SQL Command (CWE-89)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/security/advisory/Synology_SA_19_01",
"refsource": "CONFIRM",
"url": "https://www.synology.com/security/advisory/Synology_SA_19_01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2019-11821",
"datePublished": "2019-06-30T15:00:22.620200Z",
"dateReserved": "2019-05-08T00:00:00",
"dateUpdated": "2024-09-17T01:46:34.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}