cbcvebase.
CVE-2013-6987
published 2013-12-31

CVE-2013-6987: Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote…

PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.89%
96.3th percentile
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.

Affected

1 ranges
VendorProductVersion rangeFixed in
synologydiskstation_manager

Detection & IOCsextracted from sources · hover to see the quote

url/webapi/FileStation/file_delete.cgi
url/webapi/FileStation/file_share.cgi
url/fbdownload/
url/webapi/FileStation/html5_upload.cgi
url/webapi/FileStation/file_download.cgi
url/webapi/FileStation/file_sharing.cgi
url/webapi/FileStation/file_MVCP.cgi
url/webapi/FileStation/file_rename.cgi
commandfolder_path=/test/../../tmp&api=SYNO.FileStation.List&method=list&version=1
  • Detect directory traversal attempts (dot-dot sequences) in POST body parameters 'path', 'folder_path', and 'dlink' targeting Synology FileStation CGI endpoints.
  • Monitor for POST requests to /webapi/FileStation/*.cgi and /fbdownload/ containing '../' or '..%2F' sequences in request parameters, particularly 'folder_path', 'path', and 'dlink'.
  • Look for the custom header 'X-SYNO-TOKEN' in requests to FileStation CGI endpoints combined with traversal patterns, indicating authenticated exploitation attempts.
  • Flag requests where 'folder_path' or 'path' parameters resolve outside expected share directories (e.g., traversal to /etc/passwd or /tmp).
  • ·The exploit targets Synology DSM on port 5000 (default HTTP port); detections should be scoped to this non-standard port if the default configuration is in use.
  • ·Exploitation requires a valid session (X-SYNO-TOKEN and session cookie), meaning the attacker must be authenticated or have obtained a valid session token prior to exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.