CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2264
https://notcve.org/view.php?id=CVE-2014-2264
The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session. El módulo OpenVPN en Synology DiskStation Manager (DSM) 4.3-3810 actualización 1 tiene una contraseña root embebida de synopass, lo que facilita a atacantes remotos obtener acceso a través de una sesión VPN. • http://forum.synology.com/enu/viewtopic.php?f=173&t=77644 http://www.kb.cert.org/vuls/id/534284 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-255: Credentials Management Errors •
CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 1CVE-2013-6955 – Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-6955
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. webman/imageSelector.cgi en Synology DiskStation Manager (DSM) 4.0 anteriores a 4.0-2259, 4.2 anteriores a 4.2-3243, y 4.3 anteriores 4.3-3810 Update permite a atacantes remotos añadir información a archivos de forma arbitraria, y consecuentemente ejecutar código de forma arbitraria, a través de una ruta en el header HTTP SLICEUPLOAD X-TMP-FILE. • https://www.exploit-db.com/exploits/30470 http://www.kb.cert.org/vuls/id/615910 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 6CVE-2013-6987 – Synology DSM 4.3-3810 - Directory Traversal
https://notcve.org/view.php?id=CVE-2013-6987
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/. Múltiples vulnerabilidades de salto de directorio en los componentes FileBrowser en Synology DiskStation Manager (DSM) anterior a 4.3 -3810 Update 3 permiten a atacantes remotos leer, escribir y borrar archivos de su elección a través de .. (punto punto) en el (1) parámetro path en file_delete.cgi o (2) el parámetro folder_path en file_share.cgi en WebAPI / FileStation /, (3) el parámetro Dlink en fbdownload /, o los parámetros no especificados en (4) html5_upload.cgi , (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, o (8) file_rename.cgi en WebAPI / FileStation /. Synology DSM versions 4.3-3810 and below suffer from multiple directory traversal vulnerabilities. • https://www.exploit-db.com/exploits/30475 https://github.com/stoicboomer/CVE-2013-6987 http://packetstormsecurity.com/files/124563 http://seclists.org/fulldisclosure/2013/Dec/177 http://www.exploit-db.com/exploits/30475 http://www.securityfocus.com/bid/64483 http://www.synology.com/en-us/releaseNote/model/DS114 https://exchange.xforce.ibmcloud.com/vulnerabilities/89892 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2012-1556 – Synology Photo Station 5 DSM 3.2 - 'photo_one.php' Script Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-1556
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. Vulnerabilidad de XSS en Synology Photo Station 5 para DiskStation Manager (DSM) 3.2-1955 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro name en photo/photo_one.php. Photo Station 5 suffers from a reflective cross site scripting vulnerability. • https://www.exploit-db.com/exploits/36944 http://archives.neohapsis.com/archives/bugtraq/2012-03/0045.html http://osvdb.org/80034 http://secunia.com/advisories/48334 http://www.securityfocus.com/bid/52416 https://exchange.xforce.ibmcloud.com/vulnerabilities/73976 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 21EXPL: 0CVE-2010-3684
https://notcve.org/view.php?id=CVE-2010-3684
The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453. El módulo de autenticación de FTP en Synology Disk Station v2.x registra las contraseñas de la interfaz de aplicación web en los casos de intentos de conexión incorrecta, lo cual permite a usuarios locales obtener información sensible mediante la lectura de un registro, una vulnerabilidad diferente de CVE-2010-2453. • http://www.securityfocus.com/archive/1/513970/100/0/threaded • CWE-255: Credentials Management Errors •