ReportizFlow
Filtered by vendor Synology
Subscriptions
Filtered by product Diskstation Manager
Subscriptions
Total
111 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-29085 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2025-01-14 | 8.6 High |
| Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. | ||||
| CVE-2021-29086 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2025-01-14 | 5.3 Medium |
| Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors. | ||||
| CVE-2022-22679 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 Medium |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors. | ||||
| CVE-2022-27614 | 1 Synology | 3 Diskstation Manager, Media Server, Router Manager | 2025-01-14 | 5.3 Medium |
| Exposure of sensitive information to an unauthorized actor vulnerability in web server in Synology Media Server before 1.8.1-2876 allows remote attackers to obtain sensitive information via unspecified vectors. | ||||
| CVE-2022-27616 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 7.2 High |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | ||||
| CVE-2018-1160 | 3 Debian, Netatalk, Synology | 7 Debian Linux, Netatalk, Diskstation Manager and 4 more | 2025-01-14 | N/A |
| Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. | ||||
| CVE-2018-13284 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. | ||||
| CVE-2017-5753 | 14 Arm, Canonical, Debian and 11 more | 396 Cortex-a12, Cortex-a12 Firmware, Cortex-a15 and 393 more | 2025-01-14 | 5.6 Medium |
| Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. | ||||
| CVE-2019-3870 | 3 Fedoraproject, Samba, Synology | 9 Fedora, Samba, Directory Server and 6 more | 2025-01-14 | 6.1 Medium |
| A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permissions, such as 0755, because this was the default before Samba 4.8. Within this directory, files are created with mode 0666, which is world-writable, including a sample krb5.conf, and the list of DNS names and servicePrincipalName values to update. | ||||
| CVE-2019-9517 | 12 Apache, Apple, Canonical and 9 more | 28 Http Server, Traffic Server, Mac Os X and 25 more | 2025-01-14 | 7.5 High |
| Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. | ||||
| CVE-2018-13281 | 1 Synology | 3 Diskstation Manager, Skynas, Vs960hd | 2025-01-14 | N/A |
| Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter. | ||||
| CVE-2018-13286 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. | ||||
| CVE-2018-13291 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration. | ||||
| CVE-2018-8916 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. | ||||
| CVE-2019-14907 | 6 Canonical, Debian, Fedoraproject and 3 more | 10 Ubuntu Linux, Debian Linux, Fedora and 7 more | 2025-01-14 | 6.5 Medium |
| All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless). | ||||
| CVE-2019-19344 | 4 Canonical, Opensuse, Samba and 1 more | 7 Ubuntu Linux, Leap, Samba and 4 more | 2025-01-14 | 6.5 Medium |
| There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while other local variables still point at the original buffer. | ||||
| CVE-2022-27620 | 1 Synology | 2 Diskstation Manager, Sso Server | 2025-01-14 | 6.8 Medium |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology SSO Server before 2.2.3-0331 allows remote authenticated users to read arbitrary files via unspecified vectors. | ||||
| CVE-2017-16774 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. | ||||
| CVE-2020-27648 | 1 Synology | 3 Diskstation Manager, Skynas, Skynas Firmware | 2025-01-14 | 8.3 High |
| Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | ||||
| CVE-2020-27653 | 1 Synology | 2 Diskstation Manager, Router Manager | 2025-01-14 | 8.3 High |
| Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. | ||||