CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 2CVE-2018-0715 – QNAP Photo Station 5.7.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0715
27 Aug 2018 — Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. Vulnerabilidad Cross-Site Scripting (XSS) en QNAP Photo Station en versiones 5.7.0 y anteriores podría permitir que atacantes remotos inyecten código JavaScript en la aplicación comprometida. QNAP Photo Station version 5.7.0 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/149273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8925
https://notcve.org/view.php?id=CVE-2018-8925
08 Jun 2018 — Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en admin/user.php en Synology Photo Station en versiones anteriores a la 6.8.5-3471 y anteriores a la 6.3-2975 permite que atacantes remotos secuestren la auten... • https://www.synology.com/zh-tw/support/security/Synology_SA_18_15 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8926
https://notcve.org/view.php?id=CVE-2018-8926
08 Jun 2018 — Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter. Vulnerabilidad de expresión regular permisiva en synophoto_dsm_user en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.5-3471 y a la 6.3-2975, permite que usuarios autenticados remotos lleven a cabo ataques de escalado de privilegios media... • https://www.synology.com/zh-tw/support/security/Synology_SA_18_15 • CWE-625: Permissive Regular Expression •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-13073
https://notcve.org/view.php?id=CVE-2017-13073
23 Apr 2018 — Cross-site scripting (XSS) vulnerability in QNAP NAS application Photo Station versions 5.2.7, 5.4.3, and their earlier versions could allow remote attackers to inject arbitrary web script or HTML. Vulnerabilidad Cross-Site Scripting (XSS) en la aplicación Photo Station de QNAP NAS, en versiones 5.2.7, 5.4.3 y anteriores, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios. • https://www.qnap.com/zh-tw/security-advisory/nas-201804-23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-16771
https://notcve.org/view.php?id=CVE-2017-16771
22 Mar 2018 — Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en Log Viewer en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y anteriores a la 6.3-2971, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro username. • https://www.synology.com/en-global/support/security/Synology_SA_18_02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-16772
https://notcve.org/view.php?id=CVE-2017-16772
22 Mar 2018 — Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. Vulnerabilidad de validación de entradas incorrecta en PixlrEditorHandler.php en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y a la 6.3-2971, permite que usuarios autenticados remotos ejecuten código arbitrario mediante el parámetro pro... • https://www.synology.com/en-global/support/security/Synology_SA_18_02 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12072
https://notcve.org/view.php?id=CVE-2017-12072
20 Dec 2017 — Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.8.0-3456 permite que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el parámetro id. • https://www.synology.com/en-global/support/security/Synology_SA_17_80 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12079
https://notcve.org/view.php?id=CVE-2017-12079
04 Dec 2017 — Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field. Vulnerabilidad de archivos o directorios accesibles para terceros en picasa.php en Synology Photo Station en versiones anteriores a la 6.8.1-3458 y a la 6.3-2970 permite que atacantes remotos obtengan archivos arbitrarios mediante el campo prog_id. • https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12080
https://notcve.org/view.php?id=CVE-2017-12080
04 Dec 2017 — An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file. Una vulnerabilidad de exposición de información en el archivo de configuración HTTP por defecto en Synology Photo Station en versiones anteriores a la 6.8.1-3458 y a la 6.3-2970 permite que atacantes remotos obtengan información sensible del sistema mediante el archivo .htaccess. • https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12071
https://notcve.org/view.php?id=CVE-2017-12071
08 Sep 2017 — Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter. Una vulnerabilidad Server-Side Request Forgery (SSRF) en file_upload.php en Synology Photo Station en versiones anteriores a la 6.7.4-3433 y 6.3-2968 permite que usuarios remotos autenticados descarguen archivos locales arbitrarios mediante el parámetro url. • https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation • CWE-918: Server-Side Request Forgery (SSRF) •