Search Results (Refine Search)
- CPE Product Version: cpe:/a:synology:diskstation_manager:6.1
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-26561 |
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header. Published: February 26, 2021; 5:15:19 PM -0500 |
V3.1: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2021-26560 |
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session. Published: February 26, 2021; 5:15:19 PM -0500 |
V3.1: 7.4 HIGH V2.0: 5.8 MEDIUM |
CVE-2019-3870 |
A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permissions, such as 0755, because this was the default before Samba 4.8. Within this directory, files are created with mode 0666, which is world-writable, including a sample krb5.conf, and the list of DNS names and servicePrincipalName values to update. Published: April 09, 2019; 12:29:01 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 3.6 LOW |
CVE-2018-13293 |
Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter. Published: April 01, 2019; 11:29:00 AM -0400 |
V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2018-13291 |
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration. Published: April 01, 2019; 11:29:00 AM -0400 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-13286 |
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. Published: April 01, 2019; 11:29:00 AM -0400 |
V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-13284 |
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. Published: April 01, 2019; 11:29:00 AM -0400 |
V3.0: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2017-16774 |
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. Published: April 01, 2019; 11:29:00 AM -0400 |
V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2018-8920 |
Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format. Published: December 24, 2018; 10:29:00 AM -0500 |
V3.1: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-8919 |
Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors. Published: December 24, 2018; 10:29:00 AM -0500 |
V3.0: 9.8 CRITICAL V2.0: 5.0 MEDIUM |
CVE-2018-8917 |
Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. Published: December 24, 2018; 10:29:00 AM -0500 |
V3.0: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2018-1160 |
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. Published: December 20, 2018; 4:29:00 PM -0500 |
V3.0: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2018-13281 |
Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter. Published: October 31, 2018; 12:29:00 PM -0400 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-13280 |
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors. Published: July 30, 2018; 10:29:03 AM -0400 |
V3.0: 5.9 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-8916 |
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. Published: June 08, 2018; 9:29:01 AM -0400 |
V3.0: 8.8 HIGH V2.0: 4.0 MEDIUM |
CVE-2017-12075 |
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter. Published: June 08, 2018; 9:29:00 AM -0400 |
V3.0: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-7185 |
The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. Published: March 06, 2018; 3:29:01 PM -0500 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-7184 |
ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. Published: March 06, 2018; 3:29:01 PM -0500 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-7170 |
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. Published: March 06, 2018; 3:29:01 PM -0500 |
V3.1: 5.3 MEDIUM V2.0: 3.5 LOW |
CVE-2017-5753 |
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. Published: January 04, 2018; 8:29:00 AM -0500 |
V3.1: 5.6 MEDIUM V2.0: 4.7 MEDIUM |