Synology Photo Station vulnerabilities
33 known vulnerabilities affecting synology/photo_station.
Total CVEs
33
CISA KEV
0
Public exploits
5
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH15MEDIUM12
Vulnerabilities
Page 2 of 2
CVE-2021-29091P3MEDIUMCVSS 6.5≥ 6.8, < 6.8.14-35002021-06-02
CVE-2021-29091 [MEDIUM] CWE-22 CVE-2021-29091: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors.
nvd
CVE-2017-9552P3HIGHCVSS 7.8v6.0-2528v6.0-2636+22 more2017-06-13
CVE-2017-9552 [HIGH] CWE-522 CVE-2017-9552: A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local u
A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc
nvd
CVE-2017-12071P3MEDIUMCVSS 6.5≤ 6.3-2967≤ 6.7.3-34322017-09-08
CVE-2017-12071 [MEDIUM] CWE-918 CVE-2017-12071: Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
nvd
CVE-2017-11162P3MEDIUMCVSS 6.5≤ 6.3-2967≤ 6.7.3-34322017-09-08
CVE-2017-11162 [MEDIUM] CWE-22 CVE-2017-11162: Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-
Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors.
nvd
CVE-2016-10330P4HIGHCVSS 7.1≤ 6.5.2-32252017-05-12
CVE-2016-10330 [HIGH] CWE-22 CVE-2016-10330: Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo S
Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.
nvd
CVE-2018-13282P4MEDIUMCVSS 6.3≥ 6.3, < 6.3-2976≥ 6.8, < 6.8.7-3481+1 more2018-10-31
CVE-2018-13282 [MEDIUM] CWE-384 CVE-2018-13282: Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481
Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
nvd
CVE-2017-16769P4MEDIUMCVSS 5.3v6.8.1-34582018-02-23
CVE-2017-16769 [MEDIUM] CWE-359 CVE-2017-16769: Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 a
Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode.
nvd
CVE-2017-16771P4MEDIUMCVSS 6.1≥ 6.8, < 6.8.3-3463≥ 6.3, < 6.3-2971+2 more2018-03-22
CVE-2017-16771 [MEDIUM] CWE-79 CVE-2017-16771: Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 a
Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
nvd
CVE-2017-12080P4MEDIUMCVSS 5.3≥ 6.3, < 6.3-2970≥ 6.8, < 6.8.1-3458+2 more2017-12-04
CVE-2017-12080 [MEDIUM] CWE-200 CVE-2017-12080: An information exposure vulnerability in default HTTP configuration file in Synology Photo Station b
An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.
nvd
CVE-2015-9102P4MEDIUMCVSS 5.4≤ 6.3-2960v6.0+1 more2017-06-30
CVE-2015-9102 [MEDIUM] CWE-79 CVE-2015-9102: Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 an
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
nvd
CVE-2017-9555P4MEDIUMCVSS 5.4≤ 6.6.3-33472017-08-24
CVE-2017-9555 [MEDIUM] CWE-79 CVE-2017-9555: Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter.
nvd
CVE-2017-12072P4MEDIUMCVSS 5.4fixed in 6.8.0-3456vbefore 6.8.0-34562017-12-20
CVE-2017-12072 [MEDIUM] CWE-79 CVE-2017-12072: Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before
Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter.
nvd
CVE-2015-4656P4MEDIUMCVSS 4.3≤ 6.3-29442015-06-18
CVE-2015-4656 [MEDIUM] CWE-79 CVE-2015-4656: Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/.
nvd
← Previous2 / 2