Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Synology Subscribe
Total 283 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-12074 1 Synology 1 Dns Server 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 allows remote authenticated attackers to write arbitrary files via the domain_name parameter.
CVE-2016-10331 1 Synology 1 Photo Station 2025-04-20 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
CVE-2017-15886 1 Synology 1 Chat 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
CVE-2017-9556 1 Synology 1 Video Station 2025-04-20 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter.
CVE-2017-16766 1 Synology 1 Diskstation Manager 2025-04-20 6.4 MEDIUM 6.5 MEDIUM
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
CVE-2016-10329 1 Synology 1 Photo Station 2025-04-20 7.5 HIGH 9.8 CRITICAL
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.
CVE-2017-16768 1 Synology 1 Mailplus Server 2025-04-20 3.5 LOW 4.8 MEDIUM
Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.
CVE-2015-9103 1 Synology 1 Note Station 2025-04-20 3.5 LOW 5.4 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.
CVE-2017-11152 1 Synology 1 Photo Station 2025-04-20 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.
CVE-2017-11153 1 Synology 1 Photo Station 2025-04-20 7.5 HIGH 9.8 CRITICAL
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
CVE-2017-9554 1 Synology 1 Diskstation Manager 2025-04-20 5.0 MEDIUM 5.3 MEDIUM
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
CVE-2017-11156 1 Synology 1 Download Station 2025-04-20 6.5 MEDIUM 7.8 HIGH
Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors.
CVE-2017-9552 1 Synology 1 Photo Station 2025-04-20 2.1 LOW 7.8 HIGH
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".
CVE-2017-15890 1 Synology 1 Mailplus Server 2025-04-20 3.5 LOW 4.8 MEDIUM
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
CVE-2017-11151 1 Synology 1 Photo Station 2025-04-20 7.5 HIGH 9.8 CRITICAL
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.
CVE-2017-15888 1 Synology 1 Audio Station 2025-04-20 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter.
CVE-2017-12071 1 Synology 1 Photo Station 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
CVE-2017-15889 1 Synology 1 Diskstation Manager 2025-04-20 6.5 MEDIUM 8.8 HIGH
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
CVE-2017-15893 1 Synology 1 File Station 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
CVE-2017-12077 1 Synology 1 Router Manager 2025-04-20 4.0 MEDIUM 4.9 MEDIUM
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.