CVE-2017-11155 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11155
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors. Una vulnerabilidad de exposición de información en index.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos obtengan información sensible del sistema mediante vectores sin especificar. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code execution vulnerability. • https://www.exploit-db.com/exploits/42434 https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-205: Observable Behavioral Discrepancy •
CVE-2017-11153 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11153
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. Una vulnerabilidad de deserialización en synophoto_csPhotoMisc.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos consigan privilegios de administrador mediante un payload de diseño serializado manipulado. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code execution vulnerability. • https://www.exploit-db.com/exploits/42434 https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation • CWE-502: Deserialization of Untrusted Data •
CVE-2017-11151 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11151
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. Una vulnerabilidad en synotheme_upload.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos suban archivos arbitrarios sin autenticación mediante la acción logo_upload. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code execution vulnerability. • https://www.exploit-db.com/exploits/42434 https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation • CWE-287: Improper Authentication •
CVE-2017-11152 – Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-11152
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. Una vulnerabilidad de salto de directorio en PixlrEditorHandler.php en Synology Photo Station en versiones anteriores a la 6.7.3-3432 y a la 6.3-2967 permite que atacantes remotos escriban archivos arbitrarios mediante el parámetro path. Synology Photo Station versions 6.7.3-3432 and 6.3-2967 suffer from a code execution vulnerability. • https://www.exploit-db.com/exploits/42434 https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2015-9102
https://notcve.org/view.php?id=CVE-2015-9102
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos. Varias vulnerabilidades de XSS (cross-site scripting) en Synology Photo Station versión 6.0 y anteriores a la 6.0-2638, versión 6.3 y anteriores a la 6.3-2962, permiten a atacantes remotos autenticados inyectar secuencias de comandos web o HTML a través del (1) nombre del álbum (2) nombre de las imágenes subidas, (3) descripción de fotos, o (4) etiqueta de las fotos. • http://www.fortiguard.com/zeroday/FG-VD-15-103 http://www.fortiguard.com/zeroday/FG-VD-15-104 http://www.fortiguard.com/zeroday/FG-VD-15-109 http://www.fortiguard.com/zeroday/FG-VD-15-112 https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •