CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 1CVE-2021-26561
https://notcve.org/view.php?id=CVE-2021-26561
26 Feb 2021 — Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. Una vulnerabilidad de desbordamiento del búfer en la región stack de la memoria en synoagentregisterd en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes de tipo man-in-the-middle ejecutar código arbitrario por medio del encabezado HTTP syno_finder_s... • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 1CVE-2021-26560
https://notcve.org/view.php?id=CVE-2021-26560
26 Feb 2021 — Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. Una vulnerabilidad transmisión de información confidencial en texto sin cifrar en synoagentregisterd en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes de tipo man-in-the-middle falsificar servidores por medio de una sesión HTTP • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.1EPSS: 1%CPEs: 13EXPL: 1CVE-2019-3870
https://notcve.org/view.php?id=CVE-2019-3870
09 Apr 2019 — A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permissions, such as 0755, because this was the default before Samba 4.8. Within this directory, files are created with mode 0666, which is world-writable, including a s... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3870 • CWE-276: Incorrect Default Permissions •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13293
https://notcve.org/view.php?id=CVE-2018-13293
01 Apr 2019 — Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en los ajustes SSO del panel de control en Synology DiskStation Manager (DSM), en versiones 6.2.1-23824, permite a los usuarios remotos autenticados inyectar scripts web arbitrarios o HTML mediante el parámetro URL. • https://www.synology.com/security/advisory/Synology_SA_18_51 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13291
https://notcve.org/view.php?id=CVE-2018-13291
01 Apr 2019 — Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration. Una vulnerabilidad de exposición de información en /usr/syno/etc/mount.conf en Synology DiskStation Manager (DSM), en versiones anteriores a la 6.2.1-23824, permite a los usuarios remotos autenticados obtener información sensible mediante la configuración de lectura global. • https://www.synology.com/security/advisory/Synology_SA_18_51 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2018-13286
https://notcve.org/view.php?id=CVE-2018-13286
01 Apr 2019 — Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. Una vulnerabilidad de permisos por defecto incorrectos en synouser.conf en Synology Diskstation Manager (DSM), en versiones anteriores a la 6.2-23739-1, permite a los usuarios remotos autenticados obtener información sensible mediante la configuración de lectura global. • https://www.synology.com/security/advisory/Synology_SA_18_33 • CWE-276: Incorrect Default Permissions •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2018-13284
https://notcve.org/view.php?id=CVE-2018-13284
01 Apr 2019 — Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. Una vulnerabilidad de inyección de comandos en ftpd en Synology Diskstation Manager (DSM), en versiones anteriores a la 6.2-23739-1, permite a los usuarios remotos autenticados ejecutar comandos arbitrarios del sistema operativo mediante los comandos (1) MKD o (2) RMD. • https://www.synology.com/security/advisory/Synology_SA_18_33 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16774
https://notcve.org/view.php?id=CVE-2017-16774
01 Apr 2019 — Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en SYNO.Core.PersonalNotification.Event en Synology DiskStation Manager (DSM), en versiones anteriores a la 6.1.4-15217-3, permite a los usuarios remotos autenticados inyectar scripts web o HTML arbitrarios mediante el pará... • https://www.synology.com/security/advisory/Synology_SA_18_26 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8917
https://notcve.org/view.php?id=CVE-2018-8917
24 Dec 2018 — Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. Vulnerabilidad Cross-Site Scripting (XSS) en info.cgi en Synology DiskStation Manager (DSM) en versiones anteriores a la 6.1.6-15266 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro host. • https://www.synology.com/security/advisory/Synology_SA_18_14 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8919
https://notcve.org/view.php?id=CVE-2018-8919
24 Dec 2018 — Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors. Vulnerabilidad de exposición de información en SYNO.Core.Desktop.SessionData en Synology DiskStation Manager (DSM) en versiones anteriores a la 6.1.6-15266 permite que atacantes remotos roben credenciales mediante vectores sin especificar. • https://www.synology.com/security/advisory/Synology_SA_18_14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •