CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27649
https://notcve.org/view.php?id=CVE-2021-27649
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors. Una vulnerabilidad de uso de memoria previamente liberada en el componente file transfer protocol en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes remotos ejecutar código arbitrario por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29086
https://notcve.org/view.php?id=CVE-2021-29086
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors. Una vulnerabilidad de exposición de información confidencial a un actor no autorizado en el componente webapi en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes remotos obtener información confidencial por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29084 – Synology DiskStation Manager webapi CRLF Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-29084
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. Una vulnerabilidad de neutralización inapropiada de elementos especiales en la salida usada por un componente descendente ("Injection") en el componente de administración de informes Security Advisor en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes remotos leer archivos arbitrarios por medio de vectores no especificados This vulnerability allows remote attackers to disclose sensitive information on affected installations of Synology DS418play. Authentication is not required to exploit this vulnerability. The specific flaw exists within the webapi component. The issue results from incorrect neutralization of CRLF sequences in HTTP requests. An attacker can leverage this vulnerability to disclose information in the context of the Admin user. • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-26567
https://notcve.org/view.php?id=CVE-2021-26567
Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. La vulnerabilidad de desbordamiento de búfer basada en la pila en frontend/main.c en faad2 versiones anteriores a 2.2.7.1 permite a los atacantes locales ejecutar código arbitrario a través de las opciones de nombre de archivo y ruta. • https://github.com/knik0/faad2/commit/720f7004d6c4aabee19aad16e7c456ed76a3ebfa https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 1CVE-2021-26566
https://notcve.org/view.php?id=CVE-2021-26566
Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic. Una vulnerabilidad de inserción de información confidencial en datos enviados en synorelayd en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes de tipo man-in-the-middle ejecutar comandos arbitrarios por medio del tráfico entrante QuickConnect • https://www.synology.com/security/advisory/Synology_SA_20_26 https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1160 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •