Synology Diskstation Manager vulnerabilities
97 known vulnerabilities affecting synology/diskstation_manager.
Total CVEs
97
CISA KEV
1
actively exploited
Public exploits
11
Exploited in wild
3
Severity breakdown
CRITICAL19HIGH47MEDIUM29LOW2
Vulnerabilities
Page 5 of 5
CVE-2019-3870P4MEDIUMCVSS 6.1v5.2v6.1+1 more2019-04-09
CVE-2019-3870 [MEDIUM] CWE-276 CVE-2019-3870: A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2.
A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permission
nvd
CVE-2015-2809P4MEDIUMCVSS 5.0≤ 3.02015-04-01
CVE-2015-2809 [MEDIUM] CWE-200 CVE-2015-2809: The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently re
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component.
nvd
CVE-2021-26565P4MEDIUMCVSS 5.9fixed in 6.2.3-25426-32021-02-26
CVE-2021-26565 [MEDIUM] CWE-319 CVE-2021-26565: Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
nvd
CVE-2018-13280P4MEDIUMCVSS 5.9fixed in 6.2-23739≥ unspecified, < 6.2-237392018-07-30
CVE-2018-13280 [MEDIUM] CWE-330 CVE-2018-13280: Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskSt
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.
nvd
CVE-2021-43929P4MEDIUMCVSS 5.4≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2021-43929 [MEDIUM] CWE-74 CVE-2021-43929: Improper neutralization of special elements in output used by a downstream component ('Injection') v
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2024-0854P4MEDIUMCVSS 5.4fixed in 7.2.1-69057-2≥ 7.2, < 7.2.1-69057-2+3 more2024-01-24
CVE-2024-0854 [MEDIUM] CWE-601 CVE-2024-0854: URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synolo
URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7, 7.1.1-42962-7 and 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.
nvd
CVE-2018-13281P4MEDIUMCVSS 4.3≥ 6.1, < 6.1.7-15284-2≥ 6.2, < 6.2-23739-2+3 more2018-10-31
CVE-2018-13281 [MEDIUM] CWE-200 CVE-2018-13281: Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2
Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.
nvd
CVE-2018-8917P4MEDIUMCVSS 5.4fixed in 6.1.6-15266≥ unspecified, < 6.1.6-152662018-12-24
CVE-2018-8917 [MEDIUM] CWE-79 CVE-2018-8917: Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.
Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
nvd
CVE-2017-16774P4MEDIUMCVSS 5.4≥ 5.2, < 6.1.4-15217-3≥ unspecified, < 6.1.4-15217-32019-04-01
CVE-2017-16774 [MEDIUM] CWE-79 CVE-2017-16774: Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskSta
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
nvd
CVE-2018-13293P4MEDIUMCVSS 5.4≥ 5.2, < 6.2.1-23824≥ unspecified, < 6.2.1-238242019-04-01
CVE-2018-13293 [MEDIUM] CWE-79 CVE-2018-13293: Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manag
Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.
nvd
CVE-2021-33182P4MEDIUMCVSS 4.3fixed in 6.2.4-255532021-06-01
CVE-2021-33182 [MEDIUM] CWE-22 CVE-2021-33182: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
nvd
CVE-2022-27622P4MEDIUMCVSS 4.3fixed in 7.1-42661≥ unspecified, < 7.1-426612022-10-25
CVE-2022-27622 [MEDIUM] CWE-918 CVE-2022-27622: Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskSta
Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors.
nvd
CVE-2017-12076P4MEDIUMCVSS 4.9≤ 6.1v6.1.12017-08-28
CVE-2017-12076 [MEDIUM] CWE-400 CVE-2017-12076: Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskSt
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.
nvd
CVE-2018-13291P4MEDIUMCVSS 4.3≥ 5.2, < 6.2.1-23824≥ unspecified, < 6.2.1-238242019-04-01
CVE-2018-13291 [MEDIUM] CWE-200 CVE-2018-13291: Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM)
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.
nvd
CVE-2015-4655P4MEDIUMCVSS 4.3≤ 5.2-55652015-06-18
CVE-2015-4655 [MEDIUM] CWE-79 CVE-2015-4655: Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Updat
Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi.
nvd
CVE-2020-27650P4LOWCVSS 3.7≥ 6.2, < 6.2.3-25426-2≥ unspecified, < 6.2.3-25426-22020-10-29
CVE-2020-27650 [LOW] CWE-614 CVE-2020-27650: Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
nvd
CVE-2020-27656P4LOWCVSS 3.7≥ 6.2, < 6.2.3-25426-2≥ unspecified, < 6.2.3-25426-22020-10-29
CVE-2020-27656 [LOW] CWE-319 CVE-2020-27656: Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manage
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.
nvd
← Previous5 / 5