Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:synology:photo_station:6.3-2944:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2017-9552 |
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline". Published: June 13, 2017; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.8 HIGH V2.0: 2.1 LOW |
CVE-2016-10331 |
Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter. Published: May 12, 2017; 4:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2016-10330 |
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors. Published: May 12, 2017; 4:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.1 HIGH V2.0: 4.6 MEDIUM |
CVE-2016-10329 |
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header. Published: May 12, 2017; 4:29:00 PM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-10323 |
Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. Published: April 10, 2017; 2:59:00 PM -0400 |
V4.0:(not available) V3.0: 7.8 HIGH V2.0: 7.2 HIGH |
CVE-2016-10322 |
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. Published: April 10, 2017; 2:59:00 PM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2015-4656 |
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. Published: June 18, 2015; 2:59:09 PM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 4.3 MEDIUM |