Synology

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-8924 1Synology 1Office Nov 21, 2024 Jun 5, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.
CVE-2018-8923 1Synology 1File Station Nov 21, 2024 Jun 5, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology File Station before 1.1.4-0122 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.
CVE-2018-8922 1Synology 1Drive Server Nov 21, 2024 Jun 1, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Improper access control vulnerability in Synology Drive before 1.0.2-10275 allows remote authenticated users to access non-shared files or folders via unspecified vectors.
CVE-2018-8921 1Synology 1Drive Server Nov 21, 2024 Jun 1, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.
CVE-2018-8915 1Synology 1Calendar Nov 21, 2024 May 10, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter.
CVE-2018-8914 1Synology 1Media Server Nov 21, 2024 May 10, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.
CVE-2018-8910 1Synology 1Drive Server Nov 21, 2024 May 10, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.
CVE-2018-8912 1Synology 1Note Station Nov 21, 2024 May 9, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via the commit_msg parameter.
CVE-2018-8911 1Synology 1Note Station Nov 21, 2024 May 9, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.
CVE-2018-8897 8Apple CanonicalCitrix+5 more 11Debian Linux Diskstation ManagerEnterprise Linux Server+8 more Nov 21, 2024 May 8, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected beh...Show more A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.Show less
CVE-2017-16772 1Synology 1Photo Station Nov 21, 2024 Mar 22, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id paramet...Show more Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter.Show less
CVE-2017-16771 1Synology 1Photo Station Nov 21, 2024 Mar 22, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
CVE-2018-7185 6Canonical HpeNetapp+3 more 16Diskstation Manager Fujitsu M10 1 FirmwareFujitsu M10 4 Firmware+13 more Jan 14, 2025 Mar 6, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side"...Show more The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.Show less
CVE-2018-7184 5Canonical NetappNtp+2 more 10Cloud Backup Diskstation ManagerNtp+7 more Jan 14, 2025 Mar 6, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp cau...Show more ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.Show less
CVE-2018-7170 4Hpe NetappNtp+1 more 9Diskstation Manager HciHpux Ntp+6 more Jan 14, 2025 Mar 6, 2018 N/A· v4 5.3 MEDIUM· v3 3.5 LOW· v2 ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and mo...Show more ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.Show less
CVE-2017-16770 1Synology 1Surveillance Station Nov 21, 2024 Feb 27, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensiti...Show more File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.Show less
CVE-2017-16767 1Synology 1Surveillance Station Nov 21, 2024 Feb 27, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
CVE-2017-16769 1Synology 1Photo Station Nov 21, 2024 Feb 23, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.
CVE-2017-5753 13Arm CanonicalDebian+10 more 308Atom C Atom EAtom X3+305 more May 28, 2026 Jan 4, 2018 N/A· v4 5.6 MEDIUM· v3 4.7 MEDIUM· v2 Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE-2017-15892 1Synology 1Chat May 13, 2026 Dec 28, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRU...Show more Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.Show less

Previous 1...131415...18 Next