CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47562 – Photo Station
https://notcve.org/view.php?id=CVE-2023-47562
02 Feb 2024 — An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later Se ha informado que una vulnerabilidad de inyección de comandos del sistema operativo afecta a Photo Station. Si se explota, la vulnerabilidad podría permitir a los usuarios autenticados ejecutar comandos a través de una ... • https://www.qnap.com/en/security-advisory/qsa-24-08 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47561 – Photo Station
https://notcve.org/view.php?id=CVE-2023-47561
02 Feb 2024 — A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later Vulnerabilidad de Cross-Site Scripting (XSS) afecta a Photo Station. Si se explota, la vulnerabilidad podría permitir a los usuarios autenticados inyectar código malicioso a través de una red. Ya hemos soluciona... • https://www.qnap.com/en/security-advisory/qsa-24-08 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22681
https://notcve.org/view.php?id=CVE-2022-22681
06 Jul 2022 — Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. Una vulnerabilidad de Fijación de Sesión en la administración del control de acceso en Synology Photo Station versiones anteriores a 6.8.16-3506, permite a atacantes remotos omitir las restricciones de seguridad por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_21_26 • CWE-384: Session Fixation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11822
https://notcve.org/view.php?id=CVE-2019-11822
30 Jun 2019 — Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter. Una vulnerabilidad de salto de ruta (path) relativa en el archivo SYNO.PhotoStation.File en Synology Photo Station anterior a versión 6.8.11-3489 y anterior a versión 6.3-2977, permite a los atacantes remotos cargar archivos arbitrarios por medio del parámetro uploadphoto. • https://www.synology.com/security/advisory/Synology_SA_19_01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11821
https://notcve.org/view.php?id=CVE-2019-11821
30 Jun 2019 — SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. Una vulnerabilidad de inyección de SQL en el archivo synophoto_csPhotoDB.php en Synology Photo Station anterior a versión 6.8.11-3489 y anterior a versión 6.3-2977, permite a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro type. • https://www.synology.com/security/advisory/Synology_SA_19_01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-13282
https://notcve.org/view.php?id=CVE-2018-13282
31 Oct 2018 — Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Una vulnerabilidad de fijación de sesión en SYNO.PhotoStation.Auth en Synology Photo Station en versiones anteriores a la 6.8.7-3481 permite que atacantes remotos secuestren sesiones web mediante el parámetro PHPSESSID. • https://www.synology.com/en-global/support/security/Synology_SA_18_37 • CWE-384: Session Fixation •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8925
https://notcve.org/view.php?id=CVE-2018-8925
08 Jun 2018 — Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en admin/user.php en Synology Photo Station en versiones anteriores a la 6.8.5-3471 y anteriores a la 6.3-2975 permite que atacantes remotos secuestren la auten... • https://www.synology.com/zh-tw/support/security/Synology_SA_18_15 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-8926
https://notcve.org/view.php?id=CVE-2018-8926
08 Jun 2018 — Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter. Vulnerabilidad de expresión regular permisiva en synophoto_dsm_user en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.5-3471 y a la 6.3-2975, permite que usuarios autenticados remotos lleven a cabo ataques de escalado de privilegios media... • https://www.synology.com/zh-tw/support/security/Synology_SA_18_15 • CWE-625: Permissive Regular Expression •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-16771
https://notcve.org/view.php?id=CVE-2017-16771
22 Mar 2018 — Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en Log Viewer en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y anteriores a la 6.3-2971, permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro username. • https://www.synology.com/en-global/support/security/Synology_SA_18_02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2017-16772
https://notcve.org/view.php?id=CVE-2017-16772
22 Mar 2018 — Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. Vulnerabilidad de validación de entradas incorrecta en PixlrEditorHandler.php en SYNOPHOTO_Flickr_MultiUpload en Synology Photo Station, en versiones anteriores a la 6.8.3-3463 y a la 6.3-2971, permite que usuarios autenticados remotos ejecuten código arbitrario mediante el parámetro pro... • https://www.synology.com/en-global/support/security/Synology_SA_18_02 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •