cbcvebase.

Synology Diskstation Manager vulnerabilities

97 known vulnerabilities affecting synology/diskstation_manager.

Total CVEs
97
CISA KEV
1
actively exploited
Public exploits
11
Exploited in wild
3
Severity breakdown
CRITICAL19HIGH47MEDIUM29LOW2

Vulnerabilities

Page 3 of 5
CVE-2021-26562P3HIGHCVSS 8.1fixed in 6.2.3-25426-32021-02-26
CVE-2021-26562 [HIGH] CWE-787 CVE-2021-26562: Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
nvd
CVE-2021-26561P3HIGHCVSS 8.1fixed in 6.2.3-25426-32021-02-26
CVE-2021-26561 [HIGH] CWE-121 CVE-2021-26561: Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
nvd
CVE-2021-29083P3HIGHCVSS 7.2fixed in 6.2.3-25426-32021-04-01
CVE-2021-29083 [HIGH] CWE-78 CVE-2021-29083: Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Syno Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
nvd
CVE-2025-1021P3HIGHCVSS 7.5≥ 7.1, < 7.1.1-42962-8≥ 7.2.1-69057, < 7.2.1-69057-7+2 more2025-04-23
CVE-2025-1021 [HIGH] CWE-862 CVE-2025-1021: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-4 Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.
nvd
CVE-2024-50629P3MEDIUMCVSS 5.3≥ 7.1, < 7.1.1-42962-7≥ 7.2, < 7.2-64570-4+3 more2025-03-19
CVE-2024-50629 [MEDIUM] CWE-116 CVE-2024-50629: Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files via unspecified vectors.
nvd
CVE-2023-0142P3HIGHCVSS 8.1≥ 6.2, < 7.1-42661≥ 7.1, < 7.1-42661+2 more2023-06-13
CVE-2023-0142 [HIGH] CWE-427 CVE-2023-0142: Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskSt Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.
nvd
CVE-2021-29084P3HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29084 [HIGH] CWE-74 CVE-2021-29084: Improper neutralization of special elements in output used by a downstream component ('Injection') v Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
nvd
CVE-2018-8919P3CRITICALCVSS 9.8fixed in 6.1.6-15266≥ unspecified, < 6.1.6-152662018-12-24
CVE-2018-8919 [CRITICAL] CWE-200 CVE-2018-8919: Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors.
nvd
CVE-2022-27610P3HIGHCVSS 8.1≥ 6.2, < 6.2.3-25423≥ unspecified, < 6.2.3-254232022-07-27
CVE-2022-27610 [HIGH] CWE-22 CVE-2022-27610: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in weba Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.
nvd
CVE-2017-9553P3HIGHCVSS 7.5≤ 6.1.1-15101-42017-07-24
CVE-2017-9553 [HIGH] CVE-2017-9553: A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter.
nvd
CVE-2021-29087P3HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29087 [HIGH] CWE-22 CVE-2021-29087: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in weba Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
nvd
CVE-2017-12075P3HIGHCVSS 7.2fixed in 6.2-23739≥ unspecified, < 6.2-237392018-06-08
CVE-2017-12075 [HIGH] CWE-77 CVE-2017-12075: Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-2373 Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
nvd
CVE-2021-29085P3HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29085 [HIGH] CWE-74 CVE-2021-29085: Improper neutralization of special elements in output used by a downstream component ('Injection') v Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
nvd
CVE-2023-2729P3HIGHCVSS 7.5≥ 6.2, < 7.2-64561≥ 7.2, < 7.2-64561+3 more2023-06-13
CVE-2023-2729 [HIGH] CVE-2023-2729: Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskS Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.
nvd
CVE-2012-1556P4MEDIUMCVSS 4.3PoCv3.2-19552014-09-12
CVE-2012-1556 [MEDIUM] CWE-79 CVE-2012-1556: Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3 Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.
nvd
CVE-2018-7185P3HIGHCVSS 7.5≥ 5.2, < 6.1.6-152662018-03-06
CVE-2018-7185 [HIGH] CVE-2018-7185: The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of serv The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.
nvd
CVE-2018-7184P3HIGHCVSS 7.5v5.2v6.0+1 more2018-03-06
CVE-2018-7184 [HIGH] CVE-2018-7184: ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, whic ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix
nvd
CVE-2014-2264P3HIGHCVSS 7.8v4.3-38102014-03-02
CVE-2014-2264 [HIGH] CWE-200 CVE-2014-2264: The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root pass The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session.
nvd
CVE-2021-26564P3HIGHCVSS 8.7fixed in 6.2.3-25426-32021-02-26
CVE-2021-26564 [HIGH] CWE-319 CVE-2021-26564: Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
nvd
CVE-2021-29086P3HIGHCVSS 7.5≥ 6.2, < 6.2.3-25426-3≥ unspecified, < 6.2.3-25426-32021-06-23
CVE-2021-29086 [HIGH] CWE-200 CVE-2021-29086: Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Syno Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
nvd
Synology Diskstation Manager vulnerabilities | cvebase