Filtered by vendor Synology
Subscribe
Total
298 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27648 | 1 Synology | 1 Antivirus Essential | 2021-05-12 | 6.5 MEDIUM | 8.8 HIGH |
| Externally controlled reference to a resource in another sphere in quarantine functionality in Synology Antivirus Essential before 1.4.8-2801 allows remote authenticated users to obtain privilege via unspecified vectors. | |||||
| CVE-2018-8927 | 1 Synology | 1 Calendar | 2021-05-12 | 4.0 MEDIUM | 6.5 MEDIUM |
| Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter. | |||||
| CVE-2018-8929 | 1 Synology | 1 Ssl Vpn Client | 2021-05-12 | 6.8 MEDIUM | 8.1 HIGH |
| Improper restriction of communication channel to intended endpoints vulnerability in HTTP daemon in Synology SSL VPN Client before 1.2.4-0224 allows remote attackers to conduct man-in-the-middle attacks via a crafted payload. | |||||
| CVE-2019-11820 | 1 Synology | 1 Calendar | 2021-05-12 | 2.1 LOW | 5.5 MEDIUM |
| Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline. | |||||
| CVE-2020-27649 | 1 Synology | 1 Router Manager | 2020-11-09 | 6.8 MEDIUM | 9.0 CRITICAL |
| Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2020-27651 | 1 Synology | 1 Router Manager | 2020-11-06 | 6.8 MEDIUM | 8.1 HIGH |
| Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. | |||||
| CVE-2020-27658 | 1 Synology | 1 Router Manager | 2020-11-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | |||||
| CVE-2020-27657 | 1 Synology | 1 Router Manager | 2020-11-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. | |||||
| CVE-2019-9502 | 2 Broadcom, Synology | 3 Bcm4339, Bcm4339 Firmware, Router Manager | 2020-02-10 | 8.3 HIGH | 8.8 HIGH |
| The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. | |||||
| CVE-2019-9501 | 2 Broadcom, Synology | 3 Bcm4339, Bcm4339 Firmware, Router Manager | 2020-02-10 | 8.3 HIGH | 8.8 HIGH |
| The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. | |||||
| CVE-2018-8914 | 1 Synology | 1 Media Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter. | |||||
| CVE-2018-8912 | 1 Synology | 1 Note Station | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via the commit_msg parameter. | |||||
| CVE-2018-8925 | 1 Synology | 1 Photo Station | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter. | |||||
| CVE-2018-8923 | 1 Synology | 1 File Station | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology File Station before 1.1.4-0122 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. | |||||
| CVE-2018-8926 | 1 Synology | 1 Photo Station | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter. | |||||
| CVE-2018-8928 | 1 Synology | 1 Carddav Server | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter. | |||||
| CVE-2018-8911 | 1 Synology | 1 Note Station | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. | |||||
| CVE-2018-8913 | 1 Synology | 1 Web Station | 2019-10-09 | 5.8 MEDIUM | 6.1 MEDIUM |
| Missing custom error page vulnerability in Synology Web Station before 2.1.3-0139 allows remote attackers to conduct phishing attacks via a crafted URL. | |||||
| CVE-2018-8924 | 1 Synology | 1 Office | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name. | |||||
| CVE-2018-8915 | 1 Synology | 1 Calendar | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter. | |||||