CVE-2017-16770
https://notcve.org/view.php?id=CVE-2017-16770
File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter. Vulnerabilidad de exposición de información de archivos y directorios en SYNO.SurveillanceStation.PersonalSettings.Photo en Synology Surveillance Station, en versiones anteriores a la 8.1.2-5469, permite que usuarios autenticados remotos obtengan los archivos sensibles de otros usuarios mediante el parámetro filename. • https://www.synology.com/en-global/support/security/Synology_SA_17_77 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVE-2017-16767
https://notcve.org/view.php?id=CVE-2017-16767
Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en User Profile en Synology Surveillance Station en versiones anteriores a la 8.1.2-5469 permite que atacantes remotos autenticados inyecten scripts web o HTML arbitrarios mediante el parámetro userDesc. • https://www.synology.com/en-global/support/security/Synology_SA_17_77 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •