CVSS: 8.8EPSS: 11%CPEs: 1EXPL: 1CVE-2017-15889 – Synology DiskStation Manager - smart.cgi Remote Command Execution
https://notcve.org/view.php?id=CVE-2017-15889
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. Vulnerabilidad de inyección de comandos en smart.cgi en Synology DiskStation Manager (DSM) en versiones anteriores a la 5.2-5967-5 permite que usuarios autenticados remotos ejecuten comandos arbitrarios mediante el campo disk. • https://www.exploit-db.com/exploits/48514 http://packetstormsecurity.com/files/157807/Synology-DiskStation-Manager-smart.cgi-Remote-Command-Execution.html https://www.synology.com/en-global/support/security/Synology_SA_17_65_DSM • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12079
https://notcve.org/view.php?id=CVE-2017-12079
Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field. Vulnerabilidad de archivos o directorios accesibles para terceros en picasa.php en Synology Photo Station en versiones anteriores a la 6.8.1-3458 y a la 6.3-2970 permite que atacantes remotos obtengan archivos arbitrarios mediante el campo prog_id. • https://www.synology.com/en-global/support/security/Synology_SA_17_63_Photo_Station • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15887
https://notcve.org/view.php?id=CVE-2017-15887
An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack. Una vulnerabilidad de restricción indebida de intentos excesivos de autenticación en /principals en Synology CardDAV Server en versiones anteriores a la 6.0.7-0085 permite que atacantes remotos obtengan credenciales de usuario mediante un ataque de fuerza bruta. • https://www.synology.com/en-global/support/security/Synology_SA_17_64_CardDAV_Server • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15888
https://notcve.org/view.php?id=CVE-2017-15888
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en Custom Internet Radio List en Synology Audio Station en versiones anteriores a la 6.3.0-3260 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro NAME. • https://www.synology.com/en-global/support/security/Synology_SA_17_61_Audio_Station • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 30%CPEs: 54EXPL: 3CVE-2017-14491 – Dnsmasq < 2.78 - 2-byte Heap Overflow
https://notcve.org/view.php?id=CVE-2017-14491
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. Un desbordamiento de búfer basado en memoria dinámica (heap) en dnsmasq en versiones anteriores a la 2.78 permite a los atacantes provocar una denegación de servicio (cierre inesperado) o ejecutar código arbitrario utilizando una respuesta DNS manipulada. A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. Dnsmasq versions prior to 2.78 suffer from a 2-byte heap-based overflow vulnerability. • https://www.exploit-db.com/exploits/42941 https://github.com/skyformat99/dnsmasq-2.4.1-fix-CVE-2017-14491 http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html http://nvidia.custhelp.com/app/answers/detail/a_id/4560 http://nvidia.custhelp.com/a • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •