CVE-2018-13280
https://notcve.org/view.php?id=CVE-2018-13280
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors. Vulnerabilidad de uso de valores insuficientemente aleatorios en SYNO.Encryption.GenRandomKey en Synology DiskStation Manager (DSM) en versiones anteriores a la 6.2-23739 permite que atacantes Man-in-the-Middle (MitM) comprometan sesiones que no son HTTPS mediante vectores sin especificar. • https://www.synology.com/en-global/support/security/Synology_SA_18_39 • CWE-330: Use of Insufficiently Random Values •
CVE-2018-8916
https://notcve.org/view.php?id=CVE-2018-8916
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. Vulnerabilidad de cambio de contraseña sin verificar en Change Password en Synology DiskStation Manager (DSM) en versiones anteriores a la 6.2-23739 permite que usuarios autenticados remotos restablezcan contraseñas sin verificación. • https://www.synology.com/en-global/support/security/Synology_SA_18_24 • CWE-620: Unverified Password Change CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVE-2017-12075
https://notcve.org/view.php?id=CVE-2017-12075
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter. Vulnerabilidad de inyección de comandos en EZ-Internet en Synology DiskStation Manager (DSM) en versiones anteriores a la 6.2-23739 permite que usuarios remotos autenticados ejecuten comandos arbitrarios mediante el parámetro username. • https://www.synology.com/en-global/support/security/Synology_SA_18_24 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2017-15889 – Synology DiskStation Manager - smart.cgi Remote Command Execution
https://notcve.org/view.php?id=CVE-2017-15889
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. Vulnerabilidad de inyección de comandos en smart.cgi en Synology DiskStation Manager (DSM) en versiones anteriores a la 5.2-5967-5 permite que usuarios autenticados remotos ejecuten comandos arbitrarios mediante el campo disk. • https://www.exploit-db.com/exploits/48514 http://packetstormsecurity.com/files/157807/Synology-DiskStation-Manager-smart.cgi-Remote-Command-Execution.html https://www.synology.com/en-global/support/security/Synology_SA_17_65_DSM • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2017-12076
https://notcve.org/view.php?id=CVE-2017-12076
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. Una vulnerabilidad de consumo de recursos sin control en SYNO.Core.PortForwarding.Rules en Synology DiskStation (DSM) para versiones anteriores a la 6.1.1-15088 permite a un atacante autenticado remoto agotar los recursos de memoria de la máquina, provocando una denegación de servicio. • https://www.synology.com/en-global/support/security/Synology_SA_17_48_DSM • CWE-400: Uncontrolled Resource Consumption •