CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34812
https://notcve.org/view.php?id=CVE-2021-34812
18 Jun 2021 — Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors. La vulnerabilidad del uso de credenciales codificadas en el componente php de Synology Calendar anterior a la versión 2.4.0-0761 permite a los atacantes remotos obtener información confidencial a través de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_21_12 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2019-11829
https://notcve.org/view.php?id=CVE-2019-11829
30 Jun 2019 — OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header. Una vulnerabilidad de inyección de comandos del sistema operativo en el archivo drivers_syno_import_user.php en Synology Calendar anterior a versión 2.3.1-0617, permite a los atacantes remotos ejecutar comandos arbitrarios por medio del encabezado “X-Real-IP” creado. • https://www.synology.com/security/advisory/Synology_SA_19_12 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11825
https://notcve.org/view.php?id=CVE-2019-11825
30 Jun 2019 — Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en el Editor de eventos en Synology Calendar anterior a versión 2.3.0-0615, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro title. • https://www.synology.com/security/advisory/Synology_SA_19_04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11820
https://notcve.org/view.php?id=CVE-2019-11820
09 May 2019 — Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. La exposición a la información a través de la vulnerabilidad del entorno de procesos en Synology Calendar, versiones anteriores a 2.3.3-0620, permite a los usuarios locales obtener credenciales a través de cmdline. • https://www.synology.com/security/advisory/Synology_SA_19_21 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13299
https://notcve.org/view.php?id=CVE-2018-13299
01 Apr 2019 — Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter. Una vulnerabilidad de salto de directorio relativo en el actualizador de adjuntos en Synology Calendar, en versiones anteriores a la 2.2.2-0532, permite a los usuarios remotos autenticados subir archivos arbitrarios mediante el parámetro "filename". • https://www.synology.com/security/advisory/Synology_SA_18_54 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-3763
https://notcve.org/view.php?id=CVE-2018-3763
05 Jul 2018 — In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. En Nextcloud Calendar en versiones anteriores a la 1.5.8 y la 1.6.1, la falta de saneamiento de los resultados de búsqueda de un campo de autocompletar podría conducir a Cross-Site Scripting... • https://nextcloud.com/security/advisory/?id=nc-sa-2018-004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8927
https://notcve.org/view.php?id=CVE-2018-8927
14 Jun 2018 — Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter. Vulnerabilidad de autorización indebida en SYNO.Cal.Event en Calendar en versiones anteriores a la 2.1.2-0511 permite que usuarios remotos autenticados creen eventos arbitrarios mediante los parámetros (1) cal_id o (2) original_cal_id. • https://www.synology.com/en-global/support/security/Synology_SA_18_16 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8915
https://notcve.org/view.php?id=CVE-2018-8915
10 May 2018 — Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en Notification Center en Synology Calendar en versiones anteriores a la 2.1.1-0502 permite que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el parámetro title. • https://www.synology.com/en-global/support/security/Synology_SA_18_06 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10716
https://notcve.org/view.php?id=CVE-2016-10716
16 Mar 2018 — The Mail.ru Calendar plugin before 2.5.0.61 for Atlassian Jira has XSS via the Name field in a Create Calender action, related to a MailRuCalendar.jspa#period/month URI. El plugin Mail.ru Calendar, en versiones anteriores a la 2.5.0.61, en Atlassian Jira tiene Cross-Site Scripting (XSS) mediante el campo Name en una acción Create Calender. Esto se relaciona con un URI MailRuCalendar.jspa#period/month. • https://marketplace.atlassian.com/plugins/ru.mail.jira.plugins.mailrucal/versions • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15891
https://notcve.org/view.php?id=CVE-2017-15891
08 Dec 2017 — Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors. Vulnerabilidad de control de acceso indebido en SYNO.Cal.EventBase en Synology Calendar en versiones anteriores a la 2.0.1-0242 permite que usuarios remotos autenticados modifiquen eventos del calendario mediante vectores sin especificar. • https://www.synology.com/en-global/support/security/Synology_SA_17_68_Calendar • CWE-284: Improper Access Control •