CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2015-6911 – Synology Video Station 1.5-0757 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-6911
SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. Vulnerabilidad de inyección SQL en Synology Video Station en versiones anteriores a 1.5-0763, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id en watchstatus.cgi. • https://www.exploit-db.com/exploits/38128 http://packetstormsecurity.com/files/133519/Synology-Video-Station-1.5-0757-Command-Injection-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Sep/31 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 3CVE-2015-6912 – Synology Video Station 1.5-0757 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-6912
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi. Vulnerabilidad en Synology Video Station en versiones anteriores a 1.5-0763, permite a atacantes remotos ejecutar comandos shell arbitrarios a través de metacaracteres de la shell en el parámetro subtitle_codepage en subtitle.cgi. • https://www.exploit-db.com/exploits/38128 http://packetstormsecurity.com/files/133519/Synology-Video-Station-1.5-0757-Command-Injection-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Sep/31 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2015-6913
https://notcve.org/view.php?id=CVE-2015-6913
Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station before 3.5-2967 allows remote attackers to inject arbitrary web script or HTML via the urls parameter in an add_url_task action to dlm/downloadman.cgi. Vulnerabilidad de XSS en la funcionalidad 'Create download task via URL' en Synology Download Station en versiones anteriores a 3.5-2967, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro urls de una acción add_url_task a dlm/downloadman.cgi. • http://packetstormsecurity.com/files/133520/Synology-Download-Station-3.5-2956-3.5-2962-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Sep/32 http://www.securityfocus.com/archive/1/536428/100/0/threaded https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html https://www.synology.com/en-global/releaseNote/DownloadStation?model=DS715 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2015-4656
https://notcve.org/view.php?id=CVE-2015-4656
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. Múltiples vulnerabilidades de XSS en Synology Photo Station anterior a 6.3-2945 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro success en login.php o (2) de parámetros URL manipulados en index.php, tal y como fue demostrado por el parámetro t en photo/. • http://seclists.org/fulldisclosure/2015/May/110 http://www.securityfocus.com/bid/74816 https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html https://www.synology.com/en-us/support/security/Photo_Station_2945 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2015-4655
https://notcve.org/view.php?id=CVE-2015-4655
Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. Vulnerabilidad de XSS en Synology DiskStation Manager (DSM) anterior a 5.2-5565 Update 1 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro 'compound' en entry.cgi. • http://seclists.org/fulldisclosure/2015/May/109 http://www.securityfocus.com/bid/74811 https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html https://www.synology.com/en-global/releaseNote/DS214play • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •