Synology

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-9103 1Synology 1Note Station May 13, 2026 Jun 30, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of att...Show more Multiple cross-site scripting (XSS) vulnerabilities in Synology Note Station 1.1-0212 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) note title or (2) file name of attachments.Show less
CVE-2015-9102 1Synology 1Photo Station May 13, 2026 Jun 30, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name...Show more Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.Show less
CVE-2017-9552 1Synology 1Photo Station May 13, 2026 Jun 13, 2017 N/A· v4 7.8 HIGH· v3 2.1 LOW· v2 A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate us...Show more A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".Show less
CVE-2016-10331 1Synology 1Photo Station May 13, 2026 May 12, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
CVE-2016-10330 1Synology 1Photo Station May 13, 2026 May 12, 2017 N/A· v4 7.1 HIGH· v3 4.6 MEDIUM· v2 Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.
CVE-2016-10329 1Synology 1Photo Station May 13, 2026 May 12, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.
CVE-2016-10323 1Synology 1Photo Station May 13, 2026 Apr 10, 2017 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command.
CVE-2016-10322 1Synology 1Photo Station May 13, 2026 Apr 10, 2017 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.
CVE-2015-6913 1Synology 1Download Station May 6, 2026 Sep 11, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station before 3.5-2967 allows remote attackers to inject arbitrary web script or HTML via the urls parameter in...Show more Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station before 3.5-2967 allows remote attackers to inject arbitrary web script or HTML via the urls parameter in an add_url_task action to dlm/downloadman.cgi.Show less
CVE-2015-6912 1Synology 1Video Station May 6, 2026 Sep 11, 2015 N/A· v4 N/A· v3 10.0 HIGH· v2 Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi.
CVE-2015-6911 1Synology 1Video Station May 6, 2026 Sep 11, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi.
CVE-2015-6910 1Synology 1Video Station May 6, 2026 Sep 11, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi.
CVE-2015-6909 1Synology 1Download Station May 6, 2026 Sep 11, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name elem...Show more Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file.Show less
CVE-2015-4656 1Synology 1Photo Station May 6, 2026 Jun 18, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL pa...Show more Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/.Show less
CVE-2015-4655 1Synology 1Diskstation Manager May 6, 2026 Jun 18, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi.
CVE-2015-2851 1Synology 1Cloud Station May 6, 2026 May 30, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 client_chown in the sync client in Synology Cloud Station 1.1-2291 through 3.1-3320 on OS X allows local users to change the ownership of arbitrary files, and consequently obtain root access, by specifying a filename.
CVE-2015-2809 1Synology 1Diskstation Manager May 6, 2026 Apr 1, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial...Show more The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component.Show less
CVE-2014-6868 1Synology 1Ds Audio May 6, 2026 Oct 2, 2014 N/A· v4 N/A· v3 5.4 MEDIUM· v2 The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a cr...Show more The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.Show less
CVE-2014-6848 1Synology 1Ds File May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 5.4 MEDIUM· v2 The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a cr...Show more The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.Show less
CVE-2014-6836 1Synology 1Ds Photo+ May 6, 2026 Sep 30, 2014 N/A· v4 N/A· v3 5.4 MEDIUM· v2 The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a c...Show more The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.Show less

Previous 1...14 15 161718 Next