CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Synology : Security Vulnerabilities Published In 2019

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-11829 78 Exec Code 2019-06-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
2 CVE-2019-11828 79 XSS 2019-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
3 CVE-2019-11827 79 XSS 2019-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
4 CVE-2019-11826 22 Dir. Trav. 2019-06-30 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.
5 CVE-2019-11825 79 XSS 2019-06-30 2019-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
6 CVE-2019-11822 22 Dir. Trav. 2019-06-30 2019-10-09
4.0
None Remote Low Single system None Partial None
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
7 CVE-2019-11821 89 Exec Code Sql 2019-06-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
8 CVE-2019-11820 255 +Info 2019-05-09 2019-10-09
2.1
None Local Low Not required Partial None None
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.
9 CVE-2019-9516 400 DoS 2019-08-13 2019-08-23
7.8
None Remote Low Not required None None Complete
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
10 CVE-2019-9513 400 DoS 2019-08-13 2019-08-23
7.8
None Remote Low Not required None None Complete
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
11 CVE-2019-9511 400 DoS 2019-08-13 2019-08-23
7.8
None Remote Low Not required None None Complete
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
12 CVE-2018-13299 22 Dir. Trav. 2019-04-01 2019-10-09
4.0
None Remote Low Single system None Partial None
Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter.
13 CVE-2018-13297 200 +Info 2019-04-01 2019-10-09
5.0
None Remote Low Not required Partial None None
Information exposure vulnerability in SYNO.SynologyDrive.Files in Synology Drive before 1.1.2-10562 allows remote attackers to obtain sensitive system information via the dsm_path parameter.
14 CVE-2018-13296 400 2019-04-01 2019-10-09
5.0
None Remote Low Not required None None Partial
Uncontrolled resource consumption vulnerability in TLS configuration in Synology MailPlus Server before 2.0.5-0606 allows remote attackers to conduct denial-of-service attacks via client-initiated renegotiation.
15 CVE-2018-13295 200 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Information exposure vulnerability in SYNO.Personal.Application.Info in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the version parameter.
16 CVE-2018-13294 200 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Information exposure vulnerability in SYNO.Personal.Profile in Synology Application Service before 1.5.4-0320 allows remote authenticated users to obtain sensitive system information via the uid parameter.
17 CVE-2018-13293 79 XSS 2019-04-01 2019-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.
18 CVE-2018-13292 200 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration.
19 CVE-2018-13291 200 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.
20 CVE-2018-13290 200 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.
21 CVE-2018-13289 200 +Info 2019-04-01 2019-10-09
5.0
None Remote Low Not required Partial None None
Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.
22 CVE-2018-13288 200 +Info 2019-04-01 2019-10-09
5.0
None Remote Low Not required Partial None None
Information exposure vulnerability in SYNO.FolderSharing.List in Synology File Station before 1.2.3-0252 and before 1.1.5-0125 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.
23 CVE-2018-13287 276 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
24 CVE-2018-13286 276 +Info 2019-04-01 2019-10-09
4.0
None Remote Low Single system Partial None None
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
25 CVE-2018-13285 78 Exec Code 2019-04-01 2019-10-09
9.0
None Remote Low Single system Complete Complete Complete
Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
26 CVE-2018-13284 78 Exec Code 2019-04-01 2019-10-09
9.0
None Remote Low Single system Complete Complete Complete
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
27 CVE-2018-13283 2019-04-01 2019-10-09
5.8
None Remote Medium Not required Partial Partial None
Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.
28 CVE-2017-16774 79 XSS 2019-04-01 2019-10-09
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
Total number of vulnerabilities : 28   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.