Synology CVEs and Security Vulnerabilities

Filtered by vendor Synology Subscriptions

Search

Switch to Advanced Search (Beta)

Total 328 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2016-10322	1 Synology	1 Photo Station	2025-04-20	N/A
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.
CVE-2017-15886	1 Synology	1 Chat	2025-04-20	N/A
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
CVE-2017-12071	1 Synology	1 Photo Station	2025-04-20	N/A
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
CVE-2016-10331	1 Synology	1 Photo Station	2025-04-20	N/A
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
CVE-2016-10330	1 Synology	1 Photo Station	2025-04-20	N/A
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.
CVE-2017-9556	1 Synology	1 Video Station	2025-04-20	N/A
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
CVE-2017-11154	1 Synology	1 Photo Station	2025-04-20	N/A
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.
CVE-2015-9102	1 Synology	1 Photo Station	2025-04-20	N/A
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
CVE-2015-9103	1 Synology	1 Note Station	2025-04-20	N/A
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.
CVE-2017-11153	1 Synology	1 Photo Station	2025-04-20	N/A
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
CVE-2017-9553	1 Synology	1 Diskstation Manager	2025-04-20	N/A
A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter.
CVE-2017-15890	1 Synology	1 Mailplus Server	2025-04-20	N/A
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
CVE-2017-11161	1 Synology	1 Photo Station	2025-04-20	N/A
Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php.
CVE-2017-11162	1 Synology	1 Photo Station	2025-04-20	N/A
Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors.
CVE-2017-11149	1 Synology	1 Download Station	2025-04-20	N/A
Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.
CVE-2017-16766	1 Synology	1 Diskstation Manager	2025-04-20	N/A
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
CVE-2017-15887	1 Synology	1 Carddav Server	2025-04-20	N/A
An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.
CVE-2017-9552	1 Synology	1 Photo Station	2025-04-20	N/A
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
CVE-2017-12072	1 Synology	1 Photo Station	2025-04-20	N/A
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.
CVE-2017-11152	1 Synology	1 Photo Station	2025-04-20	N/A
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.

« first previous Page 5 of 17. next last »