CVE-2017-13071
https://notcve.org/view.php?id=CVE-2017-13071
QNAP has already patched this vulnerability. This security concern allows a remote attacker to run arbitrary commands on the QNAP Video Station 5.1.3 (for QTS 4.3.3), 5.2.0 (for QTS 4.3.4), and earlier. QNAP ya ha parcheado esta vulnerabilidad. Este problema de seguridad permite que un atacante remoto ejecute comandos arbitrarios en QNAP Video Station 5.1.3 (para QTS 4.3.3), 5.2.0 (para QTS 4.3.4) y anteriores. • https://www.qnap.com/zh-tw/security-advisory/nas-201711-21 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2017-9556
https://notcve.org/view.php?id=CVE-2017-9556
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter. Una vulnerabildad de tipo Cross-Site Scripting (XSS) en Video Metadata Editor en Synology Video Station en versiones anteriores a la 2.3.0-1435 permite que atacantes remotos autenticados inyecten script web o HTML arbitrario mediante el parámetro título. • https://www.synology.com/en-global/support/security/Synology_SA_17_39_Video_Station • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9105
https://notcve.org/view.php?id=CVE-2015-9105
Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos. Varias vulnerabilidades de XSS (cross-site scripting) en Synology Video Station versión 1.2 y anteriores a la 1.2-0455, versión 1.5 y anteriores a la 1.5-0772 y versión 1.6 y anteriores a la 1.6-0847, permiten a atacantes remotos autenticados inyectar secuencias de comandos web o HTML a través del nombre de archivo (1) o (2) nombre de la colección de videos. • http://www.fortiguard.com/zeroday/FG-VD-15-107 http://www.fortiguard.com/zeroday/FG-VD-15-108 https://www.synology.com/en-global/support/security/Video_station_1_5_0772 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-6910
https://notcve.org/view.php?id=CVE-2015-6910
SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi. Vulnerabilidad de inyección SQL en Synology Video Station en versiones anteriores a 1.5-0757, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id en audiotrack.cgi. • http://packetstormsecurity.com/files/133519/Synology-Video-Station-1.5-0757-Command-Injection-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Sep/31 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715 https://www.synology.com/en-global/support/security/Video_Station_1_5_0757 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-6911 – Synology Video Station 1.5-0757 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-6911
SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. Vulnerabilidad de inyección SQL en Synology Video Station en versiones anteriores a 1.5-0763, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id en watchstatus.cgi. • https://www.exploit-db.com/exploits/38128 http://packetstormsecurity.com/files/133519/Synology-Video-Station-1.5-0757-Command-Injection-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Sep/31 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •