CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9553
https://notcve.org/view.php?id=CVE-2017-9553
24 Jul 2017 — A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter. Un fallo de diseño en el archivo SYNO.API.Encryption en Synology DiskStation Manager (DSM) anterior a versión 6.1.3-15152 permite a los atacantes remotos omitir el mecanismo de protección de encriptación mediante el parámetro de versión creado. • https://www.2-sec.com/2017/06/2-secs-expert-team-uncovers-new-vulnerability-popular-synology-nas-device •
CVSS: 5.3EPSS: 64%CPEs: 1EXPL: 5CVE-2017-9554 – Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
https://notcve.org/view.php?id=CVE-2017-9554
24 Jul 2017 — An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. Una vulnerabilidad de exposición de información en el archivo forget_passwd.cgi en Synology DiskStation Manager (DSM) anterior a la versión 6.1.3-15152, permite a los atacantes remotos enumerar nombres de usuario válidos por medio de vectores no especificados. Synology DiskStation Manager (DMS) versions prior to 6.1.... • https://packetstorm.news/files/id/181198 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-4655
https://notcve.org/view.php?id=CVE-2015-4655
18 Jun 2015 — Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. Vulnerabilidad de XSS en Synology DiskStation Manager (DSM) anterior a 5.2-5565 Update 1 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro 'compound' en entry.cgi. • http://seclists.org/fulldisclosure/2015/May/109 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 3%CPEs: 1EXPL: 0CVE-2015-2809
https://notcve.org/view.php?id=CVE-2015-2809
01 Apr 2015 — The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. El contestador Multicast DNS (mDNS) en Synology DiskStation Manager (DSM) anterior a 3.1 responde inadvertidamente a consultas unicast con las direcciones de fuen... • http://www.kb.cert.org/vuls/id/550620 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 2CVE-2012-1556 – Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-1556
12 Sep 2014 — Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. Vulnerabilidad de XSS en Synology Photo Station 5 para DiskStation Manager (DSM) 3.2-1955 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro name en photo/photo_one.php. • https://www.exploit-db.com/exploits/36944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2264
https://notcve.org/view.php?id=CVE-2014-2264
02 Mar 2014 — The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. El módulo OpenVPN en Synology DiskStation Manager (DSM) 4.3-3810 actualización 1 tiene una contraseña root embebida de synopass, lo que facilita a atacantes remotos obtener acceso a través de una sesión VPN. • http://forum.synology.com/enu/viewtopic.php?f=173&t=77644 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-255: Credentials Management Errors •
CVSS: 10.0EPSS: 88%CPEs: 4EXPL: 2CVE-2013-6955 – Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-6955
23 Dec 2013 — webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. webman/imageSelector.cgi en Synology DiskStation Manager (DSM) 4.0 anteriores a 4.0-2259, 4.2 anteriores a 4.2-3243, y 4.3 anteriores 4.3-3810 Update permite a atacantes remotos añadir información a archivos de forma... • https://packetstorm.news/files/id/124568 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 36%CPEs: 1EXPL: 7CVE-2013-6987 – Synology DSM 4.3-3810 - Directory Traversal
https://notcve.org/view.php?id=CVE-2013-6987
23 Dec 2013 — Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi... • https://packetstorm.news/files/id/124563 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •