National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:synology:diskstation_manager:6.1
There are 19 matching records.
Vuln ID Summary CVSS Severity
CVE-2018-13293

Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.

Published: April 01, 2019; 11:29:00 AM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2018-13291

Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.

Published: April 01, 2019; 11:29:00 AM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-13286

Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.

Published: April 01, 2019; 11:29:00 AM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-13284

Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

Published: April 01, 2019; 11:29:00 AM -04:00
V3.0: 8.8 HIGH
    V2: 9.0 HIGH
CVE-2017-16774

Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.

Published: April 01, 2019; 11:29:00 AM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2018-8920

Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format.

Published: December 24, 2018; 10:29:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2018-8919

Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors.

Published: December 24, 2018; 10:29:00 AM -05:00
V3.0: 9.8 CRITICAL
    V2: 5.0 MEDIUM
CVE-2018-8917

Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter.

Published: December 24, 2018; 10:29:00 AM -05:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2018-1160

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Published: December 20, 2018; 04:29:00 PM -05:00
V3.0: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2018-13281

Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.

Published: October 31, 2018; 12:29:00 PM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-13280

Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.

Published: July 30, 2018; 10:29:03 AM -04:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-8916

Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

Published: June 08, 2018; 09:29:01 AM -04:00
V3.0: 8.8 HIGH
    V2: 4.0 MEDIUM
CVE-2017-12075

Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.

Published: June 08, 2018; 09:29:00 AM -04:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2018-7185

The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.

Published: March 06, 2018; 03:29:01 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-7184

ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.

Published: March 06, 2018; 03:29:01 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-7170

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.

Published: March 06, 2018; 03:29:01 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 3.5 LOW
CVE-2017-12076

Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.

Published: August 28, 2017; 03:29:00 PM -04:00
V3.0: 4.9 MEDIUM
    V2: 4.0 MEDIUM
CVE-2017-9554

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.

Published: July 24, 2017; 04:29:00 PM -04:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2017-9553

A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter.

Published: July 24, 2017; 04:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 4.3 MEDIUM