CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-33959
https://notcve.org/view.php?id=CVE-2021-33959
Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service. Plex Media Server en las versiones 1.21 y anteriores es vulnerable a un ataque DDos de reflexión a través del servicio plex. • https://github.com/lixiang957/CVE-2021-33959 https://www.freebuf.com/articles/web/260338.html • CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-22683
https://notcve.org/view.php?id=CVE-2022-22683
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary code via unspecified vectors. Una vulnerabilidad de la copia del búfer sin comprobar el tamaño de la entrada ("Desbordamiento de Búfer Clásico") en el componente cgi en Synology Media Server versiones anteriores a 1.8.1-2876, permite a atacantes remotos ejecutar código arbitrario por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_24 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-27614
https://notcve.org/view.php?id=CVE-2022-27614
Exposure of sensitive information to an unauthorized actor vulnerability in web server in Synology Media Server before 1.8.1-2876 allows remote attackers to obtain sensitive information via unspecified vectors. Una vulnerabilidad de exposición de información confidencial a un actor no autorizado en el servidor web de Synology Media Server versiones anteriores a 1.8.1-2876, que permite a atacantes remotos obtener información confidencial por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_24 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-42835
https://notcve.org/view.php?id=CVE-2021-42835
An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of the update service component. This RPC functionality allows the attacker to interact with the RPC functionality and execute code from a path of his choice (local, or remote via SMB) because of a TOCTOU race condition. This code execution is in the context of the Plex update service (which runs as SYSTEM). Se ha detectado un problema en Plex Media Server versiones hasta 1.24.4.5081-e362dc1ee. • https://bugsec.com/experts_teams https://forums.plex.tv/t/security-regarding-cve-2021-42835/761510 https://ir-on.io/2021/12/02/local-privilege-plexcalation https://www.plex.tv/media-server-downloads • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34808
https://notcve.org/view.php?id=CVE-2021-34808
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors. La vulnerabilidad de falsificación de solicitudes del lado del servidor (SSRF) en el componente cgi de Synology Media Server anterior a la versión 1.8.3-2881 permite a los atacantes remotos acceder a recursos de la intranet a través de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_21_10 • CWE-918: Server-Side Request Forgery (SSRF) •