CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39352 – Synology BC500 Protection Mechanism Failure Software Downgrade Vulnerability
https://notcve.org/view.php?id=CVE-2024-39352
21 Jun 2024 — A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. This vulnerability allows network-adjacent attackers to downgrade Synology software on affected installations of Synology BC500 cameras. Authentication is required to exploi... • https://www.synology.com/en-global/security/advisory/Synology_SA_23_15 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5463
https://notcve.org/view.php?id=CVE-2024-5463
04 Jun 2024 — A vulnerability regarding buffer copy without checking the size of input ('Classic Buffer Overflow') has been found in the login component. This allows remote attackers to conduct denial-of-service attacks via unspecified vectors. This attack only affects the login service which will automatically restart. The following models with Synology Camera Firmware versions before 1.1.1-0383 may be affected: BC500 and TC500. Se ha encontrado una vulnerabilidad relacionada con la copia del búfer sin verificar el tama... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_07 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29241
https://notcve.org/view.php?id=CVE-2024-29241
28 Mar 2024 — Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors. Vulnerabilidad de autorización faltante en el componente webapi System en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-11289 permite a los usuarios autenticados remotamente eludir las restricciones de seguridad a través de vectores no especificados. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29240
https://notcve.org/view.php?id=CVE-2024-29240
28 Mar 2024 — Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct denial-of-service attacks via unspecified vectors. Vulnerabilidad de autorización faltante en el componente webapi LayoutSave en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usuarios autenticados remotamente realizar ataques de denegación de servicio a través de vectores no especificados. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29239
https://notcve.org/view.php?id=CVE-2024-29239
28 Mar 2024 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente webapi Recording.CountByCategory en Synology Surveillance Station anterior a 9.2.0... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29238
https://notcve.org/view.php?id=CVE-2024-29238
28 Mar 2024 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente webapi Log.CountByCategory en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29237
https://notcve.org/view.php?id=CVE-2024-29237
28 Mar 2024 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente webapi ActionRule.Delete en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29236
https://notcve.org/view.php?id=CVE-2024-29236
28 Mar 2024 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente webapi AudioPattern.Delete en Synology Surveillance Station anterior a 9.2.0-9289 y 9.2.0-1... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29235
https://notcve.org/view.php?id=CVE-2024-29235
28 Mar 2024 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente webapi IOModule.EnumLog en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-928... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29234
https://notcve.org/view.php?id=CVE-2024-29234
28 Mar 2024 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en el componente Group.Save webapi en Synology Surveillance Station anterior a 9.2.0-11289 y 9.2.0-9289 permite a usu... • https://www.synology.com/en-global/security/advisory/Synology_SA_24_04 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •