Filtered by vendor Synology
Subscriptions
Filtered by product Diskstation Manager
Subscriptions
Total
94 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-27656 | 1 Synology | 1 Diskstation Manager | 2024-09-16 | 6.5 Medium |
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | ||||
CVE-2018-13284 | 1 Synology | 1 Diskstation Manager | 2024-09-16 | N/A |
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. | ||||
CVE-2022-27618 | 1 Synology | 2 Diskstation Manager, Storage Analyzer | 2024-09-16 | 6.8 Medium |
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology Storage Analyzer before 2.1.0-0390 allows remote authenticated users to delete arbitrary files via unspecified vectors. | ||||
CVE-2018-8917 | 1 Synology | 1 Diskstation Manager | 2024-09-16 | N/A |
Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. | ||||
CVE-2022-22687 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2024-09-16 | 9.8 Critical |
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors. | ||||
CVE-2021-44142 | 6 Canonical, Debian, Fedoraproject and 3 more | 28 Ubuntu Linux, Debian Linux, Fedora and 25 more | 2024-09-16 | 8.8 High |
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. | ||||
CVE-2021-26563 | 1 Synology | 7 Diskstation Manager, Diskstation Manager Unified Controller, Skynas and 4 more | 2024-09-16 | 8.2 High |
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. | ||||
CVE-2014-2264 | 1 Synology | 1 Diskstation Manager | 2024-09-16 | N/A |
The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. | ||||
CVE-2012-1556 | 1 Synology | 2 Diskstation Manager, Synology Photo Station | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. | ||||
CVE-2013-6987 | 1 Synology | 1 Diskstation Manager | 2024-08-06 | N/A |
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/. | ||||
CVE-2013-6955 | 1 Synology | 1 Diskstation Manager | 2024-08-06 | N/A |
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. | ||||
CVE-2015-4655 | 1 Synology | 1 Diskstation Manager | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. | ||||
CVE-2015-2809 | 1 Synology | 1 Diskstation Manager | 2024-08-06 | N/A |
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. | ||||
CVE-2017-14491 | 13 Arista, Arubanetworks, Canonical and 10 more | 35 Eos, Arubaos, Ubuntu Linux and 32 more | 2024-08-05 | 9.8 Critical |
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. | ||||
CVE-2017-9554 | 1 Synology | 1 Diskstation Manager | 2024-08-05 | N/A |
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. | ||||
CVE-2017-9553 | 1 Synology | 1 Diskstation Manager | 2024-08-05 | N/A |
A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter. | ||||
CVE-2018-8897 | 8 Apple, Canonical, Citrix and 5 more | 19 Mac Os X, Ubuntu Linux, Xenserver and 16 more | 2024-08-05 | N/A |
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. | ||||
CVE-2018-7185 | 6 Canonical, Hpe, Netapp and 3 more | 23 Ubuntu Linux, Hpux-ntp, Hci and 20 more | 2024-08-05 | 7.5 High |
The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. | ||||
CVE-2018-7184 | 5 Canonical, Netapp, Ntp and 2 more | 10 Ubuntu Linux, Cloud Backup, Steelstore Cloud Integrated Storage and 7 more | 2024-08-05 | N/A |
ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. | ||||
CVE-2018-7170 | 4 Hpe, Netapp, Ntp and 1 more | 10 Hpux-ntp, Hci, Solidfire and 7 more | 2024-08-05 | 5.3 Medium |
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. |