CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47562 – Photo Station
https://notcve.org/view.php?id=CVE-2023-47562
02 Feb 2024 — An OS command injection vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later Se ha informado que una vulnerabilidad de inyección de comandos del sistema operativo afecta a Photo Station. Si se explota, la vulnerabilidad podría permitir a los usuarios autenticados ejecutar comandos a través de una ... • https://www.qnap.com/en/security-advisory/qsa-24-08 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47561 – Photo Station
https://notcve.org/view.php?id=CVE-2023-47561
02 Feb 2024 — A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Photo Station 6.4.2 ( 2023/12/15 ) and later Vulnerabilidad de Cross-Site Scripting (XSS) afecta a Photo Station. Si se explota, la vulnerabilidad podría permitir a los usuarios autenticados inyectar código malicioso a través de una red. Ya hemos soluciona... • https://www.qnap.com/en/security-advisory/qsa-24-08 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-22681
https://notcve.org/view.php?id=CVE-2022-22681
06 Jul 2022 — Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. Una vulnerabilidad de Fijación de Sesión en la administración del control de acceso en Synology Photo Station versiones anteriores a 6.8.16-3506, permite a atacantes remotos omitir las restricciones de seguridad por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_21_26 • CWE-384: Session Fixation •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2021-29089
https://notcve.org/view.php?id=CVE-2021-29089
02 Jun 2021 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de neutralización inapropiada de los elementos especiales usados en un comando SQL ("SQL Injection") en el componente thumbnail de Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios atacantes remotos ejecutar c... • https://www.synology.com/security/advisory/Synology_SA_20_20 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2021-29090
https://notcve.org/view.php?id=CVE-2021-29090
02 Jun 2021 — Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors. Una vulnerabilidad de neutralización inapropiada de los elementos especiales usados en un comando SQL ("SQL Injection") en el componente PHP en Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios remotos autenticados ejecutar un coma... • https://www.synology.com/security/advisory/Synology_SA_20_20 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-29091
https://notcve.org/view.php?id=CVE-2021-29091
02 Jun 2021 — Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors. Una vulnerabilidad de limitación inapropiada de un nombre de ruta a un directorio restringido ("Path Traversal") en el componente file management en Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios remotos autenticados escribir arch... • https://www.synology.com/security/advisory/Synology_SA_20_20 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-29092
https://notcve.org/view.php?id=CVE-2021-29092
01 Jun 2021 — Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors. Una vulnerabilidad de carga sin restricciones de archivos de tipo peligroso en el componente file management en Synology Photo Station versiones anteriores a 6.8.14-3500, permite a usuarios autenticados remotos ejecutar código arbitrario por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_20 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11822
https://notcve.org/view.php?id=CVE-2019-11822
30 Jun 2019 — Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter. Una vulnerabilidad de salto de ruta (path) relativa en el archivo SYNO.PhotoStation.File en Synology Photo Station anterior a versión 6.8.11-3489 y anterior a versión 6.3-2977, permite a los atacantes remotos cargar archivos arbitrarios por medio del parámetro uploadphoto. • https://www.synology.com/security/advisory/Synology_SA_19_01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11821
https://notcve.org/view.php?id=CVE-2019-11821
30 Jun 2019 — SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. Una vulnerabilidad de inyección de SQL en el archivo synophoto_csPhotoDB.php en Synology Photo Station anterior a versión 6.8.11-3489 y anterior a versión 6.3-2977, permite a los atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro type. • https://www.synology.com/security/advisory/Synology_SA_19_01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-13282
https://notcve.org/view.php?id=CVE-2018-13282
31 Oct 2018 — Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Una vulnerabilidad de fijación de sesión en SYNO.PhotoStation.Auth en Synology Photo Station en versiones anteriores a la 6.8.7-3481 permite que atacantes remotos secuestren sesiones web mediante el parámetro PHPSESSID. • https://www.synology.com/en-global/support/security/Synology_SA_18_37 • CWE-384: Session Fixation •