This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Synology First view 2013-12-31
Product Diskstation Manager Last view 2024-01-24
Version Type
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:synology:diskstation_manager:5.2:*:*:*:*:*:*:* 71
cpe:2.3:a:synology:diskstation_manager:4.3-3810:*:*:*:*:*:*:* 70
cpe:2.3:a:synology:diskstation_manager:3.2-1955:*:*:*:*:*:*:* 69
cpe:2.3:a:synology:diskstation_manager:4.3:*:*:*:*:*:*:* 69
cpe:2.3:a:synology:diskstation_manager:4.2:*:*:*:*:*:*:* 69
cpe:2.3:a:synology:diskstation_manager:4.0:*:*:*:*:*:*:* 69
cpe:2.3:a:synology:diskstation_manager:4.3-3810:1:*:*:*:*:*:* 69
cpe:2.3:a:synology:diskstation_manager:*:*:*:*:*:*:*:* 69
cpe:2.3:a:synology:diskstation_manager:6.0:*:*:*:*:*:*:* 68
cpe:2.3:a:synology:diskstation_manager:6.1:*:*:*:*:*:*:* 68
cpe:2.3:a:synology:diskstation_manager:6.1.1:*:*:*:*:*:*:* 65
cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:* 59
cpe:2.3:a:synology:diskstation_manager:6.2.3_25426:*:*:*:*:*:*:* 51

Related : CVE

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
5.4 2024-01-24 CVE-2024-0854

URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.

7.5 2023-06-13 CVE-2023-2729

Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.

8.1 2023-06-13 CVE-2023-0142

Uncontrolled search path element vulnerability in Backup Management Functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to read or write arbitrary files via unspecified vectors.

9.1 2022-10-25 CVE-2022-27623

Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.

4.3 2022-10-25 CVE-2022-27622

Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors.

7.5 2022-10-20 CVE-2022-3576

A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

8.1 2022-10-20 CVE-2022-27626

A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

9.8 2022-10-20 CVE-2022-27625

A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

9.8 2022-10-20 CVE-2022-27624

A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

7.2 2022-08-03 CVE-2022-27616

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

8.8 2022-07-28 CVE-2022-22684

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

8.1 2022-07-27 CVE-2022-27610

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.

8.8 2022-03-25 CVE-2022-22688

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

9.8 2022-03-25 CVE-2022-22687

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.

8.8 2022-02-21 CVE-2021-44142

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

7.5 2022-02-07 CVE-2022-22680

Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.

4.9 2022-02-07 CVE-2022-22679

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.

5.4 2022-02-07 CVE-2021-43929

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

9.8 2022-02-07 CVE-2021-43927

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

9.8 2022-02-07 CVE-2021-43926

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

9.8 2022-02-07 CVE-2021-43925

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors.

7.5 2021-06-23 CVE-2021-29087

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.

7.5 2021-06-23 CVE-2021-29086

Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.

7.5 2021-06-23 CVE-2021-29085

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.

7.5 2021-06-23 CVE-2021-29084

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.

CWE : Common Weakness Enumeration

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
10% (8) CWE-200 Information Exposure
9% (7) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
8% (6) CWE-787 Out-of-bounds Write
8% (6) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
5% (4) CWE-319 Cleartext Transmission of Sensitive Information
5% (4) CWE-125 Out-of-bounds Read
5% (4) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...
4% (3) CWE-416 Use After Free
4% (3) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
4% (3) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
4% (3) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
4% (3) CWE-74 Failure to Sanitize Data into a Different Plane ('Injection')
2% (2) CWE-362 Race Condition
2% (2) CWE-327 Use of a Broken or Risky Cryptographic Algorithm
2% (2) CWE-276 Incorrect Default Permissions
1% (1) CWE-640 Weak Password Recovery Mechanism for Forgotten Password
1% (1) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
1% (1) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
1% (1) CWE-330 Use of Insufficiently Random Values
1% (1) CWE-311 Missing Encryption of Sensitive Data
1% (1) CWE-306 Missing Authentication for Critical Function
1% (1) CWE-295 Certificate Issues
1% (1) CWE-264 Permissions, Privileges, and Access Controls
1% (1) CWE-255 Credentials Management
1% (1) CWE-203 Information Exposure Through Discrepancy

Snort® IPS/IDS

Date Description
2020-12-23 TRUFFLEHUNTER TALOS-2020-1214 attack attempt
RuleID : 56659 - Type : BROWSER-WEBKIT - Revision : 1
2020-12-23 TRUFFLEHUNTER TALOS-2020-1214 attack attempt
RuleID : 56658 - Type : BROWSER-WEBKIT - Revision : 1
2019-09-17 Netatalk attn_quantum authentication bypass attempt
RuleID : 51045 - Type : SERVER-OTHER - Revision : 1
2018-05-22 Multiple Vendors NTP zero-origin timestamp denial of service attempt
RuleID : 46387 - Type : SERVER-OTHER - Revision : 3
2018-02-20 Intel x64 side-channel analysis information leak attempt
RuleID : 45444 - Type : OS-OTHER - Revision : 2
2018-02-20 Intel x64 side-channel analysis information leak attempt
RuleID : 45443 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x64 side-channel analysis information leak attempt
RuleID : 45368 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x64 side-channel analysis information leak attempt
RuleID : 45367 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45366 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45365 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45364 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45363 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45362 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45361 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45360 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45359 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45358 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45357 - Type : OS-OTHER - Revision : 2
2014-02-15 Synology DiskStation Manager SLICEUPLOAD remote command execution attempt
RuleID : 29387 - Type : SERVER-WEBAPP - Revision : 3
2014-01-10 Oracle Secure Backup observice.exe dns response overflow attempt
RuleID : 20242 - Type : PROTOCOL-DNS - Revision : 10

Nessus® Vulnerability Scanner

This CPE Product have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-e585e25b72.nasl - Type: ACT_GATHER_INFO
2018-12-24 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2018-355-01.nasl - Type: ACT_GATHER_INFO
2018-12-21 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4356.nasl - Type: ACT_GATHER_INFO
2018-12-20 Name: A file sharing service on the remote host is affected by a remote code execut...
File: netatalk_open_session_bof.nasl - Type: ACT_ATTACK
2018-11-27 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-2838.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL91229003.nasl - Type: ACT_GATHER_INFO
2018-10-31 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201810-06.nasl - Type: ACT_GATHER_INFO
2018-09-20 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1083.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote EulerOS Virtualization host is missing multiple security updates.
File: EulerOS_SA-2018-1236.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0098.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2017-0035.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0167.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-2_0-0011.nasl - Type: ACT_GATHER_INFO
2018-07-20 Name: The remote Debian host is missing a security update.
File: debian_DLA-1423.nasl - Type: ACT_GATHER_INFO
2018-07-16 Name: The remote Debian host is missing a security update.
File: debian_DLA-1422.nasl - Type: ACT_GATHER_INFO
2018-05-29 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201805-12.nasl - Type: ACT_GATHER_INFO
2018-05-11 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO
2018-05-11 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO
2018-05-03 Name: The remote Debian host is missing a security update.
File: debian_DLA-1369.nasl - Type: ACT_GATHER_INFO
2018-05-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4188.nasl - Type: ACT_GATHER_INFO
2018-05-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4187.nasl - Type: ACT_GATHER_INFO
2018-04-18 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-956.nasl - Type: ACT_GATHER_INFO
2018-03-29 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_1ce95bc7327811e8b52700012e582166.nasl - Type: ACT_GATHER_INFO
2018-03-15 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-0512.nasl - Type: ACT_GATHER_INFO
2018-03-09 Name: The remote NTP server is affected by multiple vulnerabilities.
File: ntp_4_2_8p11.nasl - Type: ACT_GATHER_INFO