CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Synology » Diskstation Manager » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:synology:diskstation_manager:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-27610 22 Dir. Trav. 2022-07-27 2022-08-02
0.0
None ??? ??? ??? ??? ??? ???
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.
2 CVE-2022-22688 77 Exec Code 2022-03-25 2022-03-30
6.5
None Remote Low ??? Partial Partial Partial
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
3 CVE-2022-22687 120 Exec Code Overflow 2022-03-25 2022-03-30
7.5
None Remote Low Not required Partial Partial Partial
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
4 CVE-2022-22684 78 Exec Code 2022-07-28 2022-08-03
0.0
None ??? ??? ??? ??? ??? ???
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
5 CVE-2022-22680 +Info 2022-02-07 2022-02-10
5.0
None Remote Low Not required Partial None None
Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.
6 CVE-2022-22679 22 Dir. Trav. 2022-02-07 2022-02-10
4.0
None Remote Low ??? None Partial None
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.
7 CVE-2021-44142 125 Exec Code 2022-02-21 2022-02-23
9.0
None Remote Low ??? Complete Complete Complete
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
8 CVE-2021-43929 74 2022-02-07 2022-02-10
4.0
None Remote Low ??? None Partial None
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
9 CVE-2021-43927 89 Sql 2022-02-07 2022-02-10
7.5
None Remote Low Not required Partial Partial Partial
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
10 CVE-2021-43926 89 Sql 2022-02-07 2022-02-10
7.5
None Remote Low Not required Partial Partial Partial
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
11 CVE-2021-43925 89 Sql 2022-02-07 2022-02-10
7.5
None Remote Low Not required Partial Partial Partial
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.
12 CVE-2021-33182 22 Dir. Trav. 2021-06-01 2021-06-09
4.0
None Remote Low ??? Partial None None
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
13 CVE-2021-31439 122 Exec Code 2021-05-21 2021-05-27
5.8
None Local Network Low Not required Partial Partial Partial
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
14 CVE-2021-29088 22 Exec Code Dir. Trav. 2021-06-01 2021-06-09
4.6
None Local Low Not required Partial Partial Partial
Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
15 CVE-2021-29087 22 Dir. Trav. 2021-06-23 2021-06-29
5.0
None Remote Low Not required None Partial None
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
16 CVE-2021-29086 200 +Info 2021-06-23 2021-06-29
5.0
None Remote Low Not required Partial None None
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.
17 CVE-2021-29085 74 2021-06-23 2021-06-29
5.0
None Remote Low Not required Partial None None
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
18 CVE-2021-29084 74 2021-06-23 2021-06-29
5.0
None Remote Low Not required Partial None None
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
19 CVE-2021-29083 78 Exec Code 2021-04-01 2021-04-07
9.0
None Remote Low ??? Complete Complete Complete
Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.
20 CVE-2021-27649 416 Exec Code 2021-06-23 2021-06-29
7.5
None Remote Low Not required Partial Partial Partial
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
21 CVE-2021-27647 125 Exec Code 2021-03-12 2021-03-26
7.5
None Remote Low Not required Partial Partial Partial
Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
22 CVE-2021-27646 416 Exec Code 2021-03-12 2021-03-26
7.5
None Remote Low Not required Partial Partial Partial
Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
23 CVE-2021-26569 362 Exec Code 2021-03-12 2022-08-02
6.8
None Remote Medium Not required Partial Partial Partial
Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via crafted web requests.
24 CVE-2021-26567 Exec Code Overflow 2021-02-26 2021-03-12
6.5
None Remote Low ??? Partial Partial Partial
Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
25 CVE-2021-26566 200 Exec Code +Info 2021-02-26 2021-04-22
6.8
None Remote Medium Not required Partial Partial Partial
Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.
26 CVE-2021-26565 319 +Info 2021-02-26 2021-04-22
4.3
None Remote Medium Not required Partial None None
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.
27 CVE-2021-26564 319 2021-02-26 2022-04-26
5.8
None Remote Medium Not required Partial Partial None
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
28 CVE-2021-26563 863 Exec Code 2021-02-26 2022-04-26
4.6
None Local Low Not required Partial Partial Partial
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
29 CVE-2021-26562 787 Exec Code 2021-02-26 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
30 CVE-2021-26561 119 Exec Code Overflow 2021-02-26 2022-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.
31 CVE-2021-26560 319 2021-02-26 2022-04-26
5.8
None Remote Medium Not required Partial Partial None
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
32 CVE-2020-27656 319 2020-10-29 2020-11-03
4.3
None Remote Medium Not required Partial None None
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.
33 CVE-2020-27652 327 +Info 2020-10-29 2021-05-12
5.1
None Remote High Not required Partial Partial Partial
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
34 CVE-2020-27650 311 2020-10-29 2020-11-05
4.3
None Remote Medium Not required Partial None None
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
35 CVE-2020-27648 295 +Info 2020-10-29 2020-11-09
6.8
None Remote Medium Not required Partial Partial Partial
Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
36 CVE-2018-13293 79 XSS 2019-04-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter.
37 CVE-2018-13291 200 +Info 2019-04-01 2019-10-09
4.0
None Remote Low ??? Partial None None
Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to obtain sensitive information via the world readable configuration.
38 CVE-2018-13286 276 +Info 2019-04-01 2019-10-09
4.0
None Remote Low ??? Partial None None
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
39 CVE-2018-13284 78 Exec Code 2019-04-01 2019-10-09
9.0
None Remote Low ??? Complete Complete Complete
Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
40 CVE-2018-13281 200 +Info 2018-10-31 2019-10-09
4.0
None Remote Low ??? Partial None None
Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authenticated users to determine the existence and obtain the metadata of arbitrary files via the file_path parameter.
41 CVE-2018-13280 330 2018-07-30 2019-10-09
4.3
None Remote Medium Not required Partial None None
Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2-23739 allows man-in-the-middle attackers to compromise non-HTTPS sessions via unspecified vectors.
42 CVE-2018-8920 116 2018-12-24 2021-05-12
6.5
None Remote Low ??? Partial Partial Partial
Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format.
43 CVE-2018-8919 200 +Info 2018-12-24 2019-10-09
5.0
None Remote Low Not required Partial None None
Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to steal credentials via unspecified vectors.
44 CVE-2018-8917 79 XSS 2018-12-24 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
45 CVE-2018-8916 640 2018-06-08 2019-10-09
4.0
None Remote Low ??? Partial None None
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
46 CVE-2018-7185 DoS 2018-03-06 2020-08-24
5.0
None Remote Low Not required None None Partial
The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.
47 CVE-2018-7170 2018-03-06 2020-06-18
3.5
None Remote Medium ??? None Partial None
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
48 CVE-2018-1160 787 Exec Code 2018-12-20 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
49 CVE-2017-16774 79 XSS 2019-04-01 2019-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
50 CVE-2017-16766 74 2017-12-22 2019-10-09
6.4
None Remote Low Not required Partial Partial None
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
Total number of vulnerabilities : 59   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.