cbcvebase.

Synology Router Manager vulnerabilities

59 known vulnerabilities affecting synology/router_manager.

Total CVEs
59
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH21MEDIUM30LOW1

Vulnerabilities

Page 3 of 3
CVE-2019-3870P4MEDIUMCVSS 6.1v1.22019-04-09
CVE-2019-3870 [MEDIUM] CWE-276 CVE-2019-3870: A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permission
nvd
CVE-2020-27658P4MEDIUMCVSS 6.1≥ 1.2, < 1.2.4-80812020-10-29
CVE-2020-27658 [MEDIUM] CWE-1004 CVE-2020-27658: Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie h Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
nvd
CVE-2018-13289P4MEDIUMCVSS 5.3≥ 1.1, < 1.1.7-6941-22019-04-01
CVE-2018-13289 [MEDIUM] CWE-200 CVE-2018-13289: Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) befor Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.
nvd
CVE-2025-29845P4MEDIUMCVSS 4.3≥ 1.3, < 1.3.1-9346v1.3.1-93462025-12-04
CVE-2025-29845 [MEDIUM] CWE-22 CVE-2025-29845: A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.
nvd
CVE-2025-29844P4MEDIUMCVSS 4.3≥ 1.3, < 1.3.1-9346v1.3.1-93462025-12-04
CVE-2025-29844 [MEDIUM] CWE-22 CVE-2025-29844: A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.
nvd
CVE-2018-8918P4MEDIUMCVSS 5.4fixed in 1.1.7-69412018-12-24
CVE-2018-8918 [MEDIUM] CWE-79 CVE-2018-8918: Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6 Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
nvd
CVE-2024-53288P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462025-07-23
CVE-2024-53288 [MEDIUM] CWE-79 CVE-2024-53288: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2017-12077P4MEDIUMCVSS 4.9≤ 1.1.3-6447-42017-08-28
CVE-2017-12077 [MEDIUM] CWE-400 CVE-2017-12077: Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.
nvd
CVE-2024-53281P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53281 [MEDIUM] CWE-79 CVE-2024-53281: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrar
nvd
CVE-2024-53279P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53279 [MEDIUM] CWE-79 CVE-2024-53279: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in file station functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-servic
nvd
CVE-2024-53282P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53282 [MEDIUM] CWE-79 CVE-2024-53282: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect MAC Filter functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denia
nvd
CVE-2024-53285P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53285 [MEDIUM] CWE-79 CVE-2024-53285: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service
nvd
CVE-2024-53280P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53280 [MEDIUM] CWE-79 CVE-2024-53280: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in network center policy route functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited d
nvd
CVE-2024-53283P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53283 [MEDIUM] CWE-79 CVE-2024-53283: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Router Port Forward functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of
nvd
CVE-2024-53284P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09
CVE-2024-53284 [MEDIUM] CWE-79 CVE-2024-53284: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-o
nvd
CVE-2024-53287P4MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462025-07-23
CVE-2024-53287 [MEDIUM] CWE-79 CVE-2024-53287: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2018-13290P4MEDIUMCVSS 4.3≥ 1.1, < 1.1.7-6941-22019-04-01
CVE-2018-13290 [MEDIUM] CWE-200 CVE-2018-13290: Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-69 Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.
nvd
CVE-2018-13292P4MEDIUMCVSS 4.3≥ 1.1, < 1.1.7-6941-22019-04-01
CVE-2018-13292 [MEDIUM] CWE-200 CVE-2018-13292: Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) befo Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration.
nvd
CVE-2019-9495P4LOWCVSS 3.7fixed in 1.2.3-80172019-04-17
CVE-2019-9495 [LOW] CWE-524 CVE-2019-9495: The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks The implementations of EAP-PWD in hostapd and wpa_supplicant are vulnerable to side-channel attacks as a result of cache access patterns. All versions of hostapd and wpa_supplicant with EAP-PWD support are vulnerable. The ability to install and execute applications is necessary for a successful attack. Memory access patterns are visible in a shared cache.
nvd
Synology Router Manager vulnerabilities | cvebase