Summary
Detail | |||
---|---|---|---|
Vendor | Synology | First view | 2013-12-31 |
Product | Diskstation Manager | Last view | 2024-01-24 |
Version | Type | ||
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
Date | Alert | Description | |
---|---|---|---|
5.4 | 2024-01-24 | CVE-2024-0854 | URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors. |
7.5 | 2023-06-13 | CVE-2023-2729 | Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors. |
8.1 | 2023-06-13 | CVE-2023-0142 | Uncontrolled search path element vulnerability in Backup Management Functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to read or write arbitrary files via unspecified vectors. |
9.1 | 2022-10-25 | CVE-2022-27623 | Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors. |
4.3 | 2022-10-25 | CVE-2022-27622 | Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors. |
7.5 | 2022-10-20 | CVE-2022-3576 | A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500. |
8.1 | 2022-10-20 | CVE-2022-27626 | A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500. |
9.8 | 2022-10-20 | CVE-2022-27625 | A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500. |
9.8 | 2022-10-20 | CVE-2022-27624 | A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500. |
7.2 | 2022-08-03 | CVE-2022-27616 | Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors. |
8.8 | 2022-07-28 | CVE-2022-22684 | Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors. |
8.1 | 2022-07-27 | CVE-2022-27610 | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors. |
8.8 | 2022-03-25 | CVE-2022-22688 | Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors. |
9.8 | 2022-03-25 | CVE-2022-22687 | Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors. |
8.8 | 2022-02-21 | CVE-2021-44142 | The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. |
7.5 | 2022-02-07 | CVE-2022-22680 | Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors. |
4.9 | 2022-02-07 | CVE-2022-22679 | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors. |
5.4 | 2022-02-07 | CVE-2021-43929 | Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
9.8 | 2022-02-07 | CVE-2021-43927 | Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. |
9.8 | 2022-02-07 | CVE-2021-43926 | Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. |
9.8 | 2022-02-07 | CVE-2021-43925 | Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors. |
7.5 | 2021-06-23 | CVE-2021-29087 | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors. |
7.5 | 2021-06-23 | CVE-2021-29086 | Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors. |
7.5 | 2021-06-23 | CVE-2021-29085 | Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. |
7.5 | 2021-06-23 | CVE-2021-29084 | Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
10% (8) | CWE-200 | Information Exposure |
9% (7) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
8% (6) | CWE-787 | Out-of-bounds Write |
8% (6) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
5% (4) | CWE-319 | Cleartext Transmission of Sensitive Information |
5% (4) | CWE-125 | Out-of-bounds Read |
5% (4) | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('O... |
4% (3) | CWE-416 | Use After Free |
4% (3) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
4% (3) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
4% (3) | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Comma... |
4% (3) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
2% (2) | CWE-362 | Race Condition |
2% (2) | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
2% (2) | CWE-276 | Incorrect Default Permissions |
1% (1) | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
1% (1) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
1% (1) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
1% (1) | CWE-330 | Use of Insufficiently Random Values |
1% (1) | CWE-311 | Missing Encryption of Sensitive Data |
1% (1) | CWE-306 | Missing Authentication for Critical Function |
1% (1) | CWE-295 | Certificate Issues |
1% (1) | CWE-264 | Permissions, Privileges, and Access Controls |
1% (1) | CWE-255 | Credentials Management |
1% (1) | CWE-203 | Information Exposure Through Discrepancy |
Snort® IPS/IDS
Date | Description |
---|---|
2020-12-23 | TRUFFLEHUNTER TALOS-2020-1214 attack attempt RuleID : 56659 - Type : BROWSER-WEBKIT - Revision : 1 |
2020-12-23 | TRUFFLEHUNTER TALOS-2020-1214 attack attempt RuleID : 56658 - Type : BROWSER-WEBKIT - Revision : 1 |
2019-09-17 | Netatalk attn_quantum authentication bypass attempt RuleID : 51045 - Type : SERVER-OTHER - Revision : 1 |
2018-05-22 | Multiple Vendors NTP zero-origin timestamp denial of service attempt RuleID : 46387 - Type : SERVER-OTHER - Revision : 3 |
2018-02-20 | Intel x64 side-channel analysis information leak attempt RuleID : 45444 - Type : OS-OTHER - Revision : 2 |
2018-02-20 | Intel x64 side-channel analysis information leak attempt RuleID : 45443 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x64 side-channel analysis information leak attempt RuleID : 45368 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x64 side-channel analysis information leak attempt RuleID : 45367 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45366 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45365 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45364 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45363 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45362 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45361 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45360 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45359 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45358 - Type : OS-OTHER - Revision : 2 |
2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45357 - Type : OS-OTHER - Revision : 2 |
2014-02-15 | Synology DiskStation Manager SLICEUPLOAD remote command execution attempt RuleID : 29387 - Type : SERVER-WEBAPP - Revision : 3 |
2014-01-10 | Oracle Secure Backup observice.exe dns response overflow attempt RuleID : 20242 - Type : PROTOCOL-DNS - Revision : 10 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-e585e25b72.nasl - Type: ACT_GATHER_INFO |
2018-12-24 | Name: The remote Slackware host is missing a security update. File: Slackware_SSA_2018-355-01.nasl - Type: ACT_GATHER_INFO |
2018-12-21 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4356.nasl - Type: ACT_GATHER_INFO |
2018-12-20 | Name: A file sharing service on the remote host is affected by a remote code execut... File: netatalk_open_session_bof.nasl - Type: ACT_ATTACK |
2018-11-27 | Name: The remote Virtuozzo host is missing a security update. File: Virtuozzo_VZLSA-2017-2838.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL91229003.nasl - Type: ACT_GATHER_INFO |
2018-10-31 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201810-06.nasl - Type: ACT_GATHER_INFO |
2018-09-20 | Name: The remote Amazon Linux AMI host is missing a security update. File: ala_ALAS-2018-1083.nasl - Type: ACT_GATHER_INFO |
2018-09-18 | Name: The remote EulerOS Virtualization host is missing multiple security updates. File: EulerOS_SA-2018-1236.nasl - Type: ACT_GATHER_INFO |
2018-08-17 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-1_0-0098.nasl - Type: ACT_GATHER_INFO |
2018-08-17 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2017-0035.nasl - Type: ACT_GATHER_INFO |
2018-08-17 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-1_0-0167.nasl - Type: ACT_GATHER_INFO |
2018-07-24 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-2_0-0011.nasl - Type: ACT_GATHER_INFO |
2018-07-20 | Name: The remote Debian host is missing a security update. File: debian_DLA-1423.nasl - Type: ACT_GATHER_INFO |
2018-07-16 | Name: The remote Debian host is missing a security update. File: debian_DLA-1422.nasl - Type: ACT_GATHER_INFO |
2018-05-29 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201805-12.nasl - Type: ACT_GATHER_INFO |
2018-05-11 | Name: The remote Amazon Linux AMI host is missing a security update. File: ala_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO |
2018-05-11 | Name: The remote Amazon Linux 2 host is missing a security update. File: al2_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO |
2018-05-03 | Name: The remote Debian host is missing a security update. File: debian_DLA-1369.nasl - Type: ACT_GATHER_INFO |
2018-05-02 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4188.nasl - Type: ACT_GATHER_INFO |
2018-05-02 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4187.nasl - Type: ACT_GATHER_INFO |
2018-04-18 | Name: The remote Amazon Linux 2 host is missing a security update. File: al2_ALAS-2018-956.nasl - Type: ACT_GATHER_INFO |
2018-03-29 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_1ce95bc7327811e8b52700012e582166.nasl - Type: ACT_GATHER_INFO |
2018-03-15 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-0512.nasl - Type: ACT_GATHER_INFO |
2018-03-09 | Name: The remote NTP server is affected by multiple vulnerabilities. File: ntp_4_2_8p11.nasl - Type: ACT_GATHER_INFO |