Filtered by vendor Synology
Subscribe
Total
326 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-6868 | 1 Synology | 1 Ds Audio | 2025-04-12 | 5.4 MEDIUM | N/A |
| The DS audio (aka com.synology.DSaudio) application 3.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-6836 | 1 Synology | 1 Ds Photo\+ | 2025-04-12 | 5.4 MEDIUM | N/A |
| The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2013-6955 | 1 Synology | 1 Diskstation Manager | 2025-04-11 | 10.0 HIGH | N/A |
| webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. | |||||
| CVE-2010-2453 | 1 Synology | 13 Disk Station Ds1010\+, Disk Station Ds109, Disk Station Ds110\+ and 10 more | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue. | |||||
| CVE-2013-6987 | 1 Synology | 1 Diskstation Manager | 2025-04-11 | 7.5 HIGH | N/A |
| Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/. | |||||
| CVE-2010-3684 | 1 Synology | 13 Disk Station Ds1010\+, Disk Station Ds109, Disk Station Ds110\+ and 10 more | 2025-04-11 | 2.1 LOW | N/A |
| The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453. | |||||
| CVE-2023-47802 | 1 Synology | 4 Bc500, Bc500 Firmware, Tc500 and 1 more | 2025-04-10 | N/A | 7.2 HIGH |
| A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | |||||
| CVE-2024-39349 | 1 Synology | 4 Bc500, Bc500 Firmware, Tc500 and 1 more | 2025-04-10 | N/A | 9.8 CRITICAL |
| A vulnerability regarding buffer copy without checking size of input ('Classic Buffer Overflow') is found in the libjansson component and it does not affect the upstream library. This allows remote attackers to execute arbitrary code via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | |||||
| CVE-2023-47803 | 1 Synology | 4 Bc500, Bc500 Firmware, Tc500 and 1 more | 2025-04-10 | N/A | 5.3 MEDIUM |
| A vulnerability regarding improper limitation of a pathname to a restricted directory ('Path Traversal') is found in the Language Settings functionality. This allows remote attackers to read specific files containing non-sensitive information via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | |||||
| CVE-2024-39351 | 1 Synology | 4 Bc500, Bc500 Firmware, Tc500 and 1 more | 2025-04-10 | N/A | 7.2 HIGH |
| A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the NTP configuration. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | |||||
| CVE-2024-39352 | 1 Synology | 4 Bc500, Bc500 Firmware, Tc500 and 1 more | 2025-04-10 | N/A | 4.9 MEDIUM |
| A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | |||||
| CVE-2023-52944 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-03-06 | N/A | 4.3 MEDIUM |
| Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors. | |||||
| CVE-2023-52943 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-03-06 | N/A | 4.3 MEDIUM |
| Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors. | |||||
| CVE-2024-39350 | 1 Synology | 4 Bc500, Bc500 Firmware, Tc500 and 1 more | 2025-03-06 | N/A | 7.5 HIGH |
| A vulnerability regarding authentication bypass by spoofing is found in the RTSP functionality. This allows man-in-the-middle attackers to obtain privileges without consent via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | |||||
| CVE-2024-29229 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | N/A | 7.7 HIGH |
| Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | |||||
| CVE-2024-29228 | 1 Synology | 2 Diskstation Manager, Surveillance Station | 2025-01-14 | N/A | 7.7 HIGH |
| Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | |||||
| CVE-2021-26569 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.8 MEDIUM | 9.8 CRITICAL |
| Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests. | |||||
| CVE-2022-27621 | 1 Synology | 2 Diskstation Manager, Usb Copy | 2025-01-14 | N/A | 5.5 MEDIUM |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology USB Copy before 2.2.0-1086 allows remote authenticated users to read or write arbitrary files via unspecified vectors. | |||||
| CVE-2017-5753 | 13 Arm, Canonical, Debian and 10 more | 387 Cortex-a12, Cortex-a12 Firmware, Cortex-a15 and 384 more | 2025-01-14 | 4.7 MEDIUM | 5.6 MEDIUM |
| Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. | |||||
| CVE-2022-27614 | 1 Synology | 3 Diskstation Manager, Media Server, Router Manager | 2025-01-14 | N/A | 5.3 MEDIUM |
| Exposure of sensitive information to an unauthorized actor vulnerability in web server in Synology Media Server before 1.8.1-2876 allows remote attackers to obtain sensitive information via unspecified vectors. | |||||