CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11822
https://notcve.org/view.php?id=CVE-2019-11822
30 Jun 2019 — Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter. Una vulnerabilidad de salto de ruta (path) relativa en el archivo SYNO.PhotoStation.File en Synology Photo Station anterior a versión 6.8.11-3489 y anterior a versión 6.3-2977, permite a los atacantes remotos cargar archivos arbitrarios por medio del parámetro uploadphoto. • https://www.synology.com/security/advisory/Synology_SA_19_01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11821
https://notcve.org/view.php?id=CVE-2019-11821
30 Jun 2019 — SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. Una vulnerabilidad de inyección de SQL en el archivo synophoto_csPhotoDB.php en Synology Photo Station anterior a versión 6.8.11-3489 y anterior a versión 6.3-2977, permite a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro type. • https://www.synology.com/security/advisory/Synology_SA_19_01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-0722
https://notcve.org/view.php?id=CVE-2018-0722
01 Feb 2019 — Path Traversal vulnerability in Photo Station versions: 5.7.2 and earlier in QTS 4.3.4, 5.4.4 and earlier in QTS 4.3.3, 5.2.8 and earlier in QTS 4.2.6 could allow remote attackers to access sensitive information on the device. Existe una vulnerabilidad de salto de directorio en las siguientes versiones de Photo Station que podría permitir a los atacantes remotos acceder a información sensible en el dispositivo: 5.72 y anteriores en QTS 4.3.4, 5.44 y anteriores en QTS 4.3.3 y 5.28 y anteriores en QTS 4.2.6. • https://www.qnap.com/zh-tw/security-advisory/nas-201901-14 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-13282
https://notcve.org/view.php?id=CVE-2018-13282
31 Oct 2018 — Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Una vulnerabilidad de fijación de sesión en SYNO.PhotoStation.Auth en Synology Photo Station en versiones anteriores a la 6.8.7-3481 permite que atacantes remotos secuestren sesiones web mediante el parámetro PHPSESSID. • https://www.synology.com/en-global/support/security/Synology_SA_18_37 • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 2CVE-2018-0715 – QNAP Photo Station 5.7.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0715
27 Aug 2018 — Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. Vulnerabilidad Cross-Site Scripting (XSS) en QNAP Photo Station en versiones 5.7.0 y anteriores podría permitir que atacantes remotos inyecten código JavaScript en la aplicación comprometida. QNAP Photo Station version 5.7.0 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/149273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8925
https://notcve.org/view.php?id=CVE-2018-8925
08 Jun 2018 — Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en admin/user.php en Synology Photo Station en versiones anteriores a la 6.8.5-3471 y anteriores a la 6.3-2975 permite que atacantes remotos secuestren la auten... • https://www.synology.com/zh-tw/support/security/Synology_SA_18_15 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8926
https://notcve.org/view.php?id=CVE-2018-8926
08 Jun 2018 — Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter. Vulnerabilidad de expresión regular permisiva en synophoto_dsm_user en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.5-3471 y a la 6.3-2975, permite que usuarios autenticados remotos lleven a cabo ataques de escalado de privilegios media... • https://www.synology.com/zh-tw/support/security/Synology_SA_18_15 • CWE-625: Permissive Regular Expression •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-13073
https://notcve.org/view.php?id=CVE-2017-13073
23 Apr 2018 — Cross-site scripting (XSS) vulnerability in QNAP NAS application Photo Station versions 5.2.7, 5.4.3, and their earlier versions could allow remote attackers to inject arbitrary web script or HTML. Vulnerabilidad Cross-Site Scripting (XSS) en la aplicación Photo Station de QNAP NAS, en versiones 5.2.7, 5.4.3 y anteriores, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios. • https://www.qnap.com/zh-tw/security-advisory/nas-201804-23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-16771
https://notcve.org/view.php?id=CVE-2017-16771
22 Mar 2018 — Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en Log Viewer en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y anteriores a la 6.3-2971, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro username. • https://www.synology.com/en-global/support/security/Synology_SA_18_02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-16772
https://notcve.org/view.php?id=CVE-2017-16772
22 Mar 2018 — Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. Vulnerabilidad de validación de entradas incorrecta en PixlrEditorHandler.php en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y a la 6.3-2971, permite que usuarios autenticados remotos ejecuten código arbitrario mediante el parámetro pro... • https://www.synology.com/en-global/support/security/Synology_SA_18_02 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •