Synology Diskstation Manager vulnerabilities
96 known vulnerabilities affecting synology/diskstation_manager.
Total CVEs
96
CISA KEV
1
actively exploited
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH47MEDIUM29LOW2
Vulnerabilities
Page 2 of 5
CVE-2022-22687CRITICALCVSS 9.8≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32022-03-25
CVE-2022-22687 [CRITICAL] CWE-120 CVE-2022-22687: Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authenticati
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
cvelistv5nvd
CVE-2022-22688HIGHCVSS 8.8≥ 7.0, < 7.0.1-42214≥ 6.2, < 6.2.4-25556-2+1 more2022-03-25
CVE-2022-22688 [HIGH] CWE-77 CVE-2022-22688: Improper neutralization of special elements used in a command ('Command Injection') vulnerability in
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
cvelistv5nvd
CVE-2021-44142HIGHCVSS 8.8≥ 6.2, < 6.2.4-25556.42022-02-21
CVE-2021-44142 [HIGH] CWE-125 CVE-2021-44142: The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compati
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A
nvd
CVE-2021-43925CRITICALCVSS 9.8≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43925 [CRITICAL] CWE-89 CVE-2021-43925: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability i
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
cvelistv5nvd
CVE-2021-43927CRITICALCVSS 9.8≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43927 [CRITICAL] CWE-89 CVE-2021-43927: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability i
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
cvelistv5nvd
CVE-2021-43926CRITICALCVSS 9.8≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43926 [CRITICAL] CWE-89 CVE-2021-43926: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability i
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
cvelistv5nvd
CVE-2022-22680HIGHCVSS 7.5≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2022-22680 [HIGH] CWE-200 CVE-2022-22680: Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology D
Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.
cvelistv5nvd
CVE-2021-43929MEDIUMCVSS 5.4≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43929 [MEDIUM] CWE-74 CVE-2021-43929: Improper neutralization of special elements in output used by a downstream component ('Injection') v
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
cvelistv5nvd
CVE-2022-22679MEDIUMCVSS 4.9≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2022-22679 [MEDIUM] CWE-22 CVE-2022-22679: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in supp
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.
cvelistv5nvd
CVE-2021-27649CRITICALCVSS 9.8≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-27649 [CRITICAL] CWE-416 CVE-2021-27649: Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DS
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
cvelistv5nvd
CVE-2021-29086HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29086 [HIGH] CWE-200 CVE-2021-29086: Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Syno
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
cvelistv5nvd
CVE-2021-29085HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29085 [HIGH] CWE-74 CVE-2021-29085: Improper neutralization of special elements in output used by a downstream component ('Injection') v
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
cvelistv5nvd
CVE-2021-29087HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29087 [HIGH] CWE-22 CVE-2021-29087: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in weba
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
cvelistv5nvd
CVE-2021-29084HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29084 [HIGH] CWE-74 CVE-2021-29084: Improper neutralization of special elements in output used by a downstream component ('Injection') v
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
cvelistv5nvd
CVE-2021-29088HIGHCVSS 7.8fixed in 6.2.4-255532021-06-01
CVE-2021-29088 [HIGH] CWE-22 CVE-2021-29088: Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in S
Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
nvd
CVE-2021-33182MEDIUMCVSS 4.3fixed in 6.2.4-255532021-06-01
CVE-2021-33182 [MEDIUM] CWE-22 CVE-2021-33182: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
nvd
CVE-2021-31439HIGHCVSS 8.8≥ 6.2, < 6.2.3-25426-3v6.1.1-15101-42021-05-21
CVE-2021-31439 [HIGH] CWE-122 CVE-2021-31439: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installat
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-s
cvelistv5nvd
CVE-2021-29083HIGHCVSS 7.2fixed in 6.2.3-25426-32021-04-01
CVE-2021-29083 [HIGH] CWE-78 CVE-2021-29083: Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Syno
Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
nvd
CVE-2021-27647CRITICALCVSS 9.8fixed in 6.2.3-25426-32021-03-12
CVE-2021-27647 [CRITICAL] CWE-125 CVE-2021-27647: Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) b
Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
nvd
CVE-2021-27646CRITICALCVSS 9.8fixed in 6.2.3-25426-32021-03-12
CVE-2021-27646 [CRITICAL] CWE-416 CVE-2021-27646: Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) befor
Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
nvd