CVSS: 9.9EPSS: 22%CPEs: 42EXPL: 3CVE-2021-44142 – Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44142
01 Feb 2022 — The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. El módulo vfs_fruit de S... • https://github.com/horizon3ai/CVE-2021-44142 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29085
https://notcve.org/view.php?id=CVE-2021-29085
23 Jun 2021 — Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. Una vulnerabilidad de neutralización inapropiada de elementos especiales en la salida usada por un componente aguas abajo ("Injection") en el componente file sharing management en Synology DiskStation Manager (DSM) versiones anter... • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29087
https://notcve.org/view.php?id=CVE-2021-29087
23 Jun 2021 — Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors. Una vulnerabilidad de limitación inapropiada de un nombre de ruta a un directorio restringido ("'Path Traversal") en el componente webapi de Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, que permite a atacantes remotos escribir archivos ar... • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2021-27649
https://notcve.org/view.php?id=CVE-2021-27649
23 Jun 2021 — Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors. Una vulnerabilidad de uso de memoria previamente liberada en el componente file transfer protocol en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes remotos ejecutar código arbitrario por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29086
https://notcve.org/view.php?id=CVE-2021-29086
23 Jun 2021 — Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors. Una vulnerabilidad de exposición de información confidencial a un actor no autorizado en el componente webapi en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a atacantes remotos obtener información confidencial por medio de vectores no especif... • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33182
https://notcve.org/view.php?id=CVE-2021-33182
01 Jun 2021 — Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors. Una vulnerabilidad de limitación inapropiada de un nombre de ruta a un directorio restringido ("Path Traversal") en el componente PDF Viewer en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.4-25553, permite a usuarios autenticados remotos le... • https://www.synology.com/security/advisory/Synology_SA_21_03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29088
https://notcve.org/view.php?id=CVE-2021-29088
01 Jun 2021 — Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. Una vulnerabilidad de limitación inapropiada de un nombre de ruta a un directorio restringido ("Path Traversal") en el componente cgi en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.4-25553 permite a usuarios locales ejecutar código arbitrario por medio de vectores no esp... • https://www.synology.com/security/advisory/Synology_SA_21_03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29084 – Synology DiskStation Manager webapi CRLF Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-29084
25 May 2021 — Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. Una vulnerabilidad de neutralización inapropiada de elementos especiales en la salida usada por un componente descendente ("Injection") en el componente de administración de informes Security Advisor en Synology DiskSta... • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-31439 – Synology DiskStation Manager Netatalk dsi_doff Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-31439
29 Apr 2021 — This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 0CVE-2021-29083
https://notcve.org/view.php?id=CVE-2021-29083
01 Apr 2021 — Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter. Una neutralización inapropiada de elementos especiales usados en un comando del Sistema Operativo en SYNO.Core.Network.PPPoE en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-3, permite a usuarios autenticados remotos ejecutar código arbitrario por medi... • https://www.synology.com/security/advisory/Synology_SA_20_26 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •