Vulnerabilites related to synology - surveillance_station
CVE-2024-29231 (GCVE-0-2024-29231)
Vulnerability from cvelistv5
Published
2024-03-28 06:23
Modified
2025-08-13 13:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-129 - Improper Validation of Array Index
Summary
Improper validation of array index vulnerability in UserPrivilege.Enum webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29231",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T19:07:24.893571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T13:36:05.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper validation of array index vulnerability in UserPrivilege.Enum webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:40:16.937Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29231",
"datePublished": "2024-03-28T06:23:39.710Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-13T13:36:05.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29232 (GCVE-0-2024-29232)
Vulnerability from cvelistv5
Published
2024-03-28 06:24
Modified
2025-08-01 04:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:38:38.438246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:38:45.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:42:43.317Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29232",
"datePublished": "2024-03-28T06:24:18.371Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T04:42:43.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29236 (GCVE-0-2024-29236)
Vulnerability from cvelistv5
Published
2024-03-28 06:27
Modified
2025-08-01 04:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:46:40.801540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:46:49.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.418Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:49:09.342Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29236",
"datePublished": "2024-03-28T06:27:09.078Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T04:49:09.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29227 (GCVE-0-2024-29227)
Vulnerability from cvelistv5
Published
2024-03-28 06:08
Modified
2025-08-01 03:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "surveillance_station",
"vendor": "synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:39:11.254947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T20:29:00.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T03:46:55.183Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29227",
"datePublished": "2024-03-28T06:08:34.641Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T03:46:55.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29238 (GCVE-0-2024-29238)
Vulnerability from cvelistv5
Published
2024-03-28 06:28
Modified
2025-08-01 04:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:39:53.697682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:44.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:52:14.346Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29238",
"datePublished": "2024-03-28T06:28:14.399Z",
"dateReserved": "2024-03-19T06:14:19.315Z",
"dateUpdated": "2025-08-01T04:52:14.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29230 (GCVE-0-2024-29230)
Vulnerability from cvelistv5
Published
2024-03-28 06:22
Modified
2025-08-01 04:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:45:56.805468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:46:08.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:36:18.221Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29230",
"datePublished": "2024-03-28T06:22:54.365Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T04:36:18.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29235 (GCVE-0-2024-29235)
Vulnerability from cvelistv5
Published
2024-03-28 06:26
Modified
2025-08-01 04:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29235",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T15:42:14.848149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:36.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:47:41.947Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29235",
"datePublished": "2024-03-28T06:26:32.275Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T04:47:41.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29239 (GCVE-0-2024-29239)
Vulnerability from cvelistv5
Published
2024-03-28 06:28
Modified
2025-08-01 04:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:47:15.901229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:47:22.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:53:34.132Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29239",
"datePublished": "2024-03-28T06:28:31.235Z",
"dateReserved": "2024-03-19T06:14:19.316Z",
"dateUpdated": "2025-08-01T04:53:34.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29233 (GCVE-0-2024-29233)
Vulnerability from cvelistv5
Published
2024-03-28 06:25
Modified
2025-08-01 04:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:10:03.739036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:03.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:44:41.956Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29233",
"datePublished": "2024-03-28T06:25:27.881Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T04:44:41.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52944 (GCVE-0-2023-52944)
Vulnerability from cvelistv5
Published
2024-12-04 07:05
Modified
2024-12-04 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T14:05:10.590106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T14:09:11.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhao Runzi (\u8d75\u6da6\u6893)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T07:05:32.103Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2023-52944",
"datePublished": "2024-12-04T07:05:32.103Z",
"dateReserved": "2024-09-24T08:35:52.121Z",
"dateUpdated": "2024-12-04T14:09:11.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29240 (GCVE-0-2024-29240)
Vulnerability from cvelistv5
Published
2024-03-28 06:28
Modified
2025-08-01 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T19:45:29.212254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:21.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:55:21.100Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29240",
"datePublished": "2024-03-28T06:28:38.385Z",
"dateReserved": "2024-03-19T06:14:19.316Z",
"dateUpdated": "2025-08-01T04:55:21.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29229 (GCVE-0-2024-29229)
Vulnerability from cvelistv5
Published
2024-03-28 06:19
Modified
2024-08-12 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29229",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T19:09:01.432005Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:09:16.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T06:19:39.482Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29229",
"datePublished": "2024-03-28T06:19:39.482Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2024-08-12T19:09:16.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29228 (GCVE-0-2024-29228)
Vulnerability from cvelistv5
Published
2024-03-28 06:13
Modified
2024-08-02 01:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:41:51.043562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:41:57.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T06:13:20.333Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29228",
"datePublished": "2024-03-28T06:13:20.333Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2024-08-02T01:10:55.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16770 (GCVE-0-2017-16770)
Vulnerability from cvelistv5
Published
2018-02-27 15:00
Modified
2024-09-16 19:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-538 - File and Directory Information Exposure ()
Summary
File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: before 8.1.2-5469 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:20.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 8.1.2-5469"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user\u0027s sensitive files via the filename parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "File and Directory Information Exposure (CWE-538)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-27T14:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16770",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Surveillance Station",
"version": {
"version_data": [
{
"version_value": "before 8.1.2-5469"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user\u0027s sensitive files via the filename parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "File and Directory Information Exposure (CWE-538)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_77",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-16770",
"datePublished": "2018-02-27T15:00:00Z",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-09-16T19:30:32.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29241 (GCVE-0-2024-29241)
Vulnerability from cvelistv5
Published
2024-03-28 06:28
Modified
2025-08-12 08:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:42:30.710313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:42:37.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.736Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-12T08:09:15.488Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29241",
"datePublished": "2024-03-28T06:28:53.632Z",
"dateReserved": "2024-03-19T06:14:19.316Z",
"dateUpdated": "2025-08-12T08:09:15.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16767 (GCVE-0-2017-16767)
Vulnerability from cvelistv5
Published
2018-02-27 15:00
Modified
2024-09-16 23:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ()
Summary
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: before 8.1.2-5469 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:20.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "before 8.1.2-5469"
}
]
}
],
"datePublic": "2017-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-27T14:57:01",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@synology.com",
"DATE_PUBLIC": "2017-12-12T00:00:00",
"ID": "CVE-2017-16767",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Surveillance Station",
"version": {
"version_data": [
{
"version_value": "before 8.1.2-5469"
}
]
}
}
]
},
"vendor_name": "Synology"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.synology.com/en-global/support/security/Synology_SA_17_77",
"refsource": "CONFIRM",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2017-16767",
"datePublished": "2018-02-27T15:00:00Z",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-09-16T23:26:42.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29234 (GCVE-0-2024-29234)
Vulnerability from cvelistv5
Published
2024-03-28 06:26
Modified
2025-08-01 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T19:10:31.894996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:48.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:46:13.156Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29234",
"datePublished": "2024-03-28T06:26:12.750Z",
"dateReserved": "2024-03-19T06:14:19.314Z",
"dateUpdated": "2025-08-01T04:46:13.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52943 (GCVE-0-2023-52943)
Vulnerability from cvelistv5
Published
2024-12-04 07:04
Modified
2024-12-04 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-04T14:05:16.529568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T14:09:11.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zhao Runzi (\u8d75\u6da6\u6893)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-04T07:04:36.932Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2023-52943",
"datePublished": "2024-12-04T07:04:36.932Z",
"dateReserved": "2024-09-24T08:35:52.121Z",
"dateUpdated": "2024-12-04T14:09:11.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29237 (GCVE-0-2024-29237)
Vulnerability from cvelistv5
Published
2024-03-28 06:27
Modified
2025-08-01 04:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Synology | Surveillance Station |
Version: * ≤ Version: * ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:20:42.718476Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T20:13:02.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Surveillance Station",
"vendor": "Synology",
"versions": [
{
"lessThan": "9.2.0-9289",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "9.2.0-11289",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T04:50:52.275Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:04 Surveillance Station",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-29237",
"datePublished": "2024-03-28T06:27:39.249Z",
"dateReserved": "2024-03-19T06:14:19.315Z",
"dateUpdated": "2025-08-01T04:50:52.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en el componente webapi LayoutSave en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios autenticados remotamente realizar ataques de denegaci\u00f3n de servicio a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29240",
"lastModified": "2025-08-04T19:08:23.200",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:11.083",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi AudioPattern.Delete en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29236",
"lastModified": "2025-08-04T19:08:33.847",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:08.340",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi Recording.CountByCategory en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29239",
"lastModified": "2025-08-04T19:08:26.173",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:10.293",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-27 15:29
Modified
2024-11-21 03:16
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5DF9EAA-EAB8-4EB7-B1F7-168ADB98BFEE",
"versionEndExcluding": "8.1.2-5469",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en User Profile en Synology Surveillance Station en versiones anteriores a la 8.1.2-5469 permite que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el par\u00e1metro userDesc."
}
],
"id": "CVE-2017-16767",
"lastModified": "2024-11-21T03:16:56.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-27T15:29:00.317",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi IOModule.EnumLog en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados ."
}
],
"id": "CVE-2024-29235",
"lastModified": "2025-08-04T19:08:36.830",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:07.657",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:09
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper validation of array index vulnerability in UserPrivilege.Enum webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper validation of array index vulnerability in UserPrivilege.Enum webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La validaci\u00f3n incorrecta de la vulnerabilidad del \u00edndice de matriz en el componente webapi UserPrivilege.Enum en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a los usuarios autenticados remotamente eludir las restricciones de seguridad a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29231",
"lastModified": "2025-08-04T19:09:15.620",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:04.170",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-129"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:15
Modified
2025-08-04 19:09
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en Layout.LayoutSave webapi component in Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados ."
}
],
"id": "CVE-2024-29227",
"lastModified": "2025-08-04T19:09:20.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:15:59.770",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-12 17:34
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Summary
Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en el componente webapi System en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a los usuarios autenticados remotamente eludir las restricciones de seguridad a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29241",
"lastModified": "2025-08-12T17:34:11.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:12.177",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-04 07:15
Modified
2025-03-06 14:29
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors."
},
{
"lang": "es",
"value": " Vulnerabilidad de autorizaci\u00f3n incorrecta en el componente webapi Alert.Setting en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios autenticados remotos realizar acciones limitadas en la funci\u00f3n de alerta a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2023-52943",
"lastModified": "2025-03-06T14:29:59.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-04T07:15:04.033",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente Group.Save webapi en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados ."
}
],
"id": "CVE-2024-29234",
"lastModified": "2025-08-04T19:08:39.317",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:06.830",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-01-14 20:12
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en el componente webapi GetLiveViewPath en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios autenticados remotamente obtener informaci\u00f3n confidencial a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29229",
"lastModified": "2025-01-14T20:12:23.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:02.680",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi Log.CountByCategory en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados ."
}
],
"id": "CVE-2024-29238",
"lastModified": "2025-08-04T19:08:28.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:09.570",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-27 15:29
Modified
2024-11-21 03:16
Severity ?
Summary
File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5DF9EAA-EAB8-4EB7-B1F7-168ADB98BFEE",
"versionEndExcluding": "8.1.2-5469",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user\u0027s sensitive files via the filename parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n de archivos y directorios en SYNO.SurveillanceStation.PersonalSettings.Photo en Synology Surveillance Station, en versiones anteriores a la 8.1.2-5469, permite que usuarios autenticados remotos obtengan los archivos sensibles de otros usuarios mediante el par\u00e1metro filename."
}
],
"id": "CVE-2017-16770",
"lastModified": "2024-11-21T03:16:56.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-27T15:29:00.380",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/support/security/Synology_SA_17_77"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-538"
}
],
"source": "security@synology.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\u0027Inyecci\u00f3n SQL\u0027) en Emap. El componente webapi Emap.Delet en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29233",
"lastModified": "2025-08-04T19:08:42.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:06.060",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:09
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi SnapShot.CountByCategory en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29230",
"lastModified": "2025-08-04T19:09:18.470",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:03.380",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi ActionRule.Delete en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29237",
"lastModified": "2025-08-04T19:08:31.363",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:09.077",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-12-04 07:15
Modified
2025-03-06 14:30
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@synology.com | https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors."
},
{
"lang": "es",
"value": "La vulnerabilidad de autorizaci\u00f3n incorrecta en el componente webapi ActionRule en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios autenticados remotos realizar acciones limitadas en la funci\u00f3n de reglas de acci\u00f3n establecidas a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2023-52944",
"lastModified": "2025-03-06T14:30:43.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-04T07:15:05.790",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-08-04 19:08
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an SQL command (\u0027SQL Injection\u0027) vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to read database containing non-sensitive information and conduct limited denial-of-service attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL (\"Inyecci\u00f3n SQL\") en el componente webapi Alert.Enum en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios remotos autenticados inyectar comandos SQL a trav\u00e9s de vectores no especificados ."
}
],
"id": "CVE-2024-29232",
"lastModified": "2025-08-04T19:08:46.257",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:05.133",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@synology.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-28 07:16
Modified
2025-01-14 20:11
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | surveillance_station | * | |
| synology | diskstation_manager | 6.2 | |
| synology | surveillance_station | * | |
| synology | diskstation_manager | 7.1 | |
| synology | diskstation_manager | 7.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187A263E-E3AE-4800-90E7-D3090E736C9E",
"versionEndExcluding": "9.2.0-9289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:surveillance_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F59B6F9A-253C-43C6-B88D-BB18242A1EA9",
"versionEndExcluding": "9.2.0-11289",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "10C4B055-D99B-4D58-811C-DD323A68A890",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de autorizaci\u00f3n faltante en el componente webapi GetStmUrlPath en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a usuarios autenticados remotamente obtener informaci\u00f3n confidencial a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-29228",
"lastModified": "2025-01-14T20:11:42.487",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-28T07:16:00.733",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_04"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@synology.com",
"type": "Primary"
}
]
}