CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2016-6554 – Synology NAS servers DS107, DS116, and DS213, use default credentials
https://notcve.org/view.php?id=CVE-2016-6554
Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access to a vulnerable device. Los servidores Synology NAS DS107, en versiones de firmware 3.1-1639 y anteriores; y DS116 y DS213, en versiones de firmware anteriores a la 5.2-5644-1, emplea credenciales por defecto no aleatorias de: uest:(en blanco) y admin:(en blanco) . Un atacante remoto en la red puede obtener acceso privilegiado a un dispositivo vulnerable. • https://www.kb.cert.org/vuls/id/404187 https://www.securityfocus.com/bid/93805 https://www.synology.com/en-global/releaseNote/DS213 • CWE-255: Credentials Management Errors •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8929
https://notcve.org/view.php?id=CVE-2018-8929
Improper restriction of communication channel to intended endpoints vulnerability in HTTP daemon in Synology SSL VPN Client before 1.2.4-0224 allows remote attackers to conduct man-in-the-middle attacks via a crafted payload. Vulnerabilidad de restricción indebida del canal de comunicación en los endpoints planeados en el demonio HTTP en Synology SSL VPN Client en versiones anteriores a la 1.2.4-0224 permite que atacantes remotos lleven a cabo ataques Man-in-the-Middle (MitM) mediante una carga útil manipulada. • https://www.synology.com/en-global/support/security/Synology_SA_18_19 • CWE-319: Cleartext Transmission of Sensitive Information CWE-417: Communication Channel Errors •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8928
https://notcve.org/view.php?id=CVE-2018-8928
Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en Address Book Editor en Synology CardDAV Server en versiones anteriores a la 6.0.8-0086 permite que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante los parámetros (1) family_name, (2) given_name o (3) additional_name. • https://www.synology.com/en-global/support/security/Synology_SA_18_10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16773
https://notcve.org/view.php?id=CVE-2017-16773
Improper authorization vulnerability in Highlight Preview in Synology Universal Search before 1.0.5-0135 allows remote authenticated users to bypass permission checks for directories in POSIX mode. Vulnerabilidad de autorización incorrecta en Highlight Preview en Synology Universal Search en versiones anteriores a la 1.0.5-0135 permite que usuarios autenticados remotos omitan las comprobaciones de permisos para los directorios en modo POSIX. • https://www.synology.com/en-global/support/security/Synology_SA_18_27 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8927
https://notcve.org/view.php?id=CVE-2018-8927
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter. Vulnerabilidad de autorización indebida en SYNO.Cal.Event en Calendar en versiones anteriores a la 2.1.2-0511 permite que usuarios remotos autenticados creen eventos arbitrarios mediante los parámetros (1) cal_id o (2) original_cal_id. • https://www.synology.com/en-global/support/security/Synology_SA_18_16 • CWE-863: Incorrect Authorization •