CVSS: 7.8EPSS: 0%CPEs: 33EXPL: 0CVE-2017-11156
https://notcve.org/view.php?id=CVE-2017-11156
Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors. Synology Download Station 3.8.x en versiones anteriores a la 3.8.5-3475 y 3.x en versiones anteriores a la 3.5-2984 emplea permisos débiles (0777) para el directorio ui/dlm/btsearch, lo que permite que usuarios remotos autenticados ejecuten código arbitrario mediante la subida de un archivo ejecutable usando vectores sin especificar. • https://www.synology.com/en-global/support/security/Synology_SA_17_28_Download_Station • CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2015-6909
https://notcve.org/view.php?id=CVE-2015-6909
Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file. Vulnerabilidad de XSS en la funcionalidad 'Create download task via file upload' en Synology Download Station en versiones anteriores a 3.5-2962, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del nombre del elemento en el diccionario Info en un archivo torrent. • http://packetstormsecurity.com/files/133520/Synology-Download-Station-3.5-2956-3.5-2962-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Sep/32 http://www.securityfocus.com/archive/1/536428/100/0/threaded https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html https://www.synology.com/en-global/releaseNote/DownloadStation?model=DS715 https://www.synology.com/en-global/support/security/Download_Station_3_5_2962 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2015-6913
https://notcve.org/view.php?id=CVE-2015-6913
Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station before 3.5-2967 allows remote attackers to inject arbitrary web script or HTML via the urls parameter in an add_url_task action to dlm/downloadman.cgi. Vulnerabilidad de XSS en la funcionalidad 'Create download task via URL' en Synology Download Station en versiones anteriores a 3.5-2967, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro urls de una acción add_url_task a dlm/downloadman.cgi. • http://packetstormsecurity.com/files/133520/Synology-Download-Station-3.5-2956-3.5-2962-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Sep/32 http://www.securityfocus.com/archive/1/536428/100/0/threaded https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html https://www.synology.com/en-global/releaseNote/DownloadStation?model=DS715 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •