CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-11162
https://notcve.org/view.php?id=CVE-2017-11162
08 Sep 2017 — Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors. Una vulnerabilidad de salto de directorio en synphotoio en Synology Photo Station en versiones anteriores a la 6.7.4-3433 y a la 6.3-2968 permite que atacantes remotos autenticados lean archivos arbitrarios mediante vectores no especificados. • https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9555
https://notcve.org/view.php?id=CVE-2017-9555
24 Aug 2017 — Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter. Una vulnerabildad de tipo Cross-Site Scripting (XSS) en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.0-3414 permite que atacantes remotos inyecten script web o HTML arbitrario mediante el parámetro image. • https://www.synology.com/en-global/support/security/Synology_SA_17_47_Photo_Station • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 18%CPEs: 2EXPL: 2CVE-2017-11151 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11151
08 Aug 2017 — A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. Una vulnerabilidad en synotheme_upload.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos suban archivos arbitrarios sin autenticación mediante la acción logo_upload. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code executi... • https://packetstorm.news/files/id/143745 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 14%CPEs: 2EXPL: 2CVE-2017-11152 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11152
08 Aug 2017 — Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. Una vulnerabilidad de salto de directorio en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos escriban archivos arbitrarios mediante el parámetro path. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code execution... • https://packetstorm.news/files/id/143745 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 15%CPEs: 2EXPL: 2CVE-2017-11153 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11153
08 Aug 2017 — Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. Una vulnerabilidad de deserialización en synophoto_csPhotoMisc.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos consigan privilegios de administrador mediante un payload de diseño serializado manipulado. Synology Photo Station versions 6.... • https://packetstorm.news/files/id/143745 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 6%CPEs: 2EXPL: 2CVE-2017-11154 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11154
08 Aug 2017 — Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter. Una vulnerabilidad de subida de archivos sin restricciones en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos creen scripts PHP arbitrarios mediante el parámetro type. Synology Photo Station versions 6.7.3-3432 and 6.3-2967... • https://packetstorm.news/files/id/143745 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 35%CPEs: 2EXPL: 2CVE-2017-11155 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11155
08 Aug 2017 — An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors. Una vulnerabilidad de exposición de información en index.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos obtengan información sensible del sistema mediante vectores sin especificar. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer fro... • https://packetstorm.news/files/id/143745 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-205: Observable Behavioral Discrepancy •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9102
https://notcve.org/view.php?id=CVE-2015-9102
30 Jun 2017 — Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos. Varias vulnerabilidades de XSS (cross-site scripting) en Synology Photo Station versión 6.0 y anteriores a la 6.0-2638, versión 6.3 y anteriores a la 6.3-2962, permiten a atacantes remotos autenticados i... • http://www.fortiguard.com/zeroday/FG-VD-15-103 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 24EXPL: 0CVE-2017-9552
https://notcve.org/view.php?id=CVE-2017-9552
13 Jun 2017 — A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline". Un fallo de diseño en la autenticación en Synology Photo Station de la versión 6.0-2528 a la 6.7.1-3419 permite que usuarios locales obtengan cr... • http://blog.crozat.net/2017/06/synology-photostation-password-vulnerabilty.html • CWE-287: Improper Authentication CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 15%CPEs: 1EXPL: 3CVE-2016-10329
https://notcve.org/view.php?id=CVE-2016-10329
12 May 2017 — Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header. Vulnerabilidad de inyección de comandos en login.php en Synology Photo Station en versiones anteriores a la 6.5.3-3226, que permitiría a atacantes remotos ejecutar código arbitrario a través metacaracteres de shell en una cabecera 'X-Forwarded-For' manipulada. • http://seclists.org/oss-sec/2016/q1/236 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •