Summary
| Detail | |||
|---|---|---|---|
| Vendor | Synology | First view | 2017-08-28 |
| Product | Router Manager | Last view | 2020-10-29 |
| Version | 1.1 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:synology:router_manager | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 6.1 | 2020-10-29 | CVE-2020-27658 | Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
| 5.9 | 2020-10-29 | CVE-2020-27657 | Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors. |
| 10 | 2020-10-29 | CVE-2020-27655 | Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic. |
| 9.8 | 2020-10-29 | CVE-2020-27654 | Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp. |
| 8.3 | 2020-10-29 | CVE-2020-27653 | Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. |
| 8.1 | 2020-10-29 | CVE-2020-27651 | Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. |
| 9 | 2020-10-29 | CVE-2020-27649 | Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
| 7.5 | 2020-05-04 | CVE-2019-11823 | CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. |
| 4.3 | 2019-04-01 | CVE-2018-13292 | Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration. |
| 4.3 | 2019-04-01 | CVE-2018-13290 | Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter. |
| 5.3 | 2019-04-01 | CVE-2018-13289 | Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter. |
| 6.5 | 2019-04-01 | CVE-2018-13287 | Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration. |
| 8.8 | 2019-04-01 | CVE-2018-13285 | Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command. |
| 5.4 | 2018-12-24 | CVE-2018-8918 | Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter. |
| 9.8 | 2018-12-20 | CVE-2018-1160 | Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. |
| 7.2 | 2018-06-08 | CVE-2017-12078 | Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter. |
| 7.5 | 2018-03-06 | CVE-2018-7185 | The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. |
| 7.5 | 2018-03-06 | CVE-2018-7184 | ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. |
| 5.3 | 2018-03-06 | CVE-2018-7170 | ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. |
| 5.6 | 2018-01-04 | CVE-2017-5753 | Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. |
| 6.5 | 2017-12-08 | CVE-2017-15895 | Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. |
| 4.9 | 2017-08-28 | CVE-2017-12077 | Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 21% (4) | CWE-200 | Information Exposure |
| 10% (2) | CWE-269 | Improper Privilege Management |
| 5% (1) | CWE-787 | Out-of-bounds Write |
| 5% (1) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 5% (1) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
| 5% (1) | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| 5% (1) | CWE-319 | Cleartext Transmission of Sensitive Information |
| 5% (1) | CWE-311 | Missing Encryption of Sensitive Data |
| 5% (1) | CWE-295 | Certificate Issues |
| 5% (1) | CWE-276 | Incorrect Default Permissions |
| 5% (1) | CWE-125 | Out-of-bounds Read |
| 5% (1) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| 5% (1) | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('O... |
| 5% (1) | CWE-77 | Improper Sanitization of Special Elements used in a Command ('Comma... |
| 5% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2019-09-17 | Netatalk attn_quantum authentication bypass attempt RuleID : 51045 - Type : SERVER-OTHER - Revision : 1 |
| 2018-05-22 | Multiple Vendors NTP zero-origin timestamp denial of service attempt RuleID : 46387 - Type : SERVER-OTHER - Revision : 3 |
| 2018-02-20 | Intel x64 side-channel analysis information leak attempt RuleID : 45444 - Type : OS-OTHER - Revision : 2 |
| 2018-02-20 | Intel x64 side-channel analysis information leak attempt RuleID : 45443 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x64 side-channel analysis information leak attempt RuleID : 45368 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x64 side-channel analysis information leak attempt RuleID : 45367 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45366 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45365 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45364 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45363 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45362 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45361 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45360 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45359 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45358 - Type : OS-OTHER - Revision : 2 |
| 2018-02-06 | Intel x86 side-channel analysis information leak attempt RuleID : 45357 - Type : OS-OTHER - Revision : 2 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-e585e25b72.nasl - Type: ACT_GATHER_INFO |
| 2018-12-24 | Name: The remote Slackware host is missing a security update. File: Slackware_SSA_2018-355-01.nasl - Type: ACT_GATHER_INFO |
| 2018-12-21 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4356.nasl - Type: ACT_GATHER_INFO |
| 2018-12-20 | Name: A file sharing service on the remote host is affected by a remote code execut... File: netatalk_open_session_bof.nasl - Type: ACT_ATTACK |
| 2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL91229003.nasl - Type: ACT_GATHER_INFO |
| 2018-10-31 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201810-06.nasl - Type: ACT_GATHER_INFO |
| 2018-09-20 | Name: The remote Amazon Linux AMI host is missing a security update. File: ala_ALAS-2018-1083.nasl - Type: ACT_GATHER_INFO |
| 2018-09-18 | Name: The remote EulerOS Virtualization host is missing multiple security updates. File: EulerOS_SA-2018-1236.nasl - Type: ACT_GATHER_INFO |
| 2018-08-17 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-1_0-0167.nasl - Type: ACT_GATHER_INFO |
| 2018-08-17 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-1_0-0098.nasl - Type: ACT_GATHER_INFO |
| 2018-07-24 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-2_0-0011.nasl - Type: ACT_GATHER_INFO |
| 2018-07-20 | Name: The remote Debian host is missing a security update. File: debian_DLA-1423.nasl - Type: ACT_GATHER_INFO |
| 2018-07-16 | Name: The remote Debian host is missing a security update. File: debian_DLA-1422.nasl - Type: ACT_GATHER_INFO |
| 2018-05-29 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201805-12.nasl - Type: ACT_GATHER_INFO |
| 2018-05-11 | Name: The remote Amazon Linux AMI host is missing a security update. File: ala_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO |
| 2018-05-11 | Name: The remote Amazon Linux 2 host is missing a security update. File: al2_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO |
| 2018-05-03 | Name: The remote Debian host is missing a security update. File: debian_DLA-1369.nasl - Type: ACT_GATHER_INFO |
| 2018-05-02 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4188.nasl - Type: ACT_GATHER_INFO |
| 2018-05-02 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4187.nasl - Type: ACT_GATHER_INFO |
| 2018-04-18 | Name: The remote Amazon Linux 2 host is missing a security update. File: al2_ALAS-2018-956.nasl - Type: ACT_GATHER_INFO |
| 2018-03-29 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_1ce95bc7327811e8b52700012e582166.nasl - Type: ACT_GATHER_INFO |
| 2018-03-15 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-0512.nasl - Type: ACT_GATHER_INFO |
| 2018-03-09 | Name: The remote NTP server is affected by multiple vulnerabilities. File: ntp_4_2_8p11.nasl - Type: ACT_GATHER_INFO |
| 2018-03-02 | Name: The remote Slackware host is missing a security update. File: Slackware_SSA_2018-060-02.nasl - Type: ACT_GATHER_INFO |
| 2018-02-28 | Name: The remote FreeBSD host is missing one or more security-related updates. File: freebsd_pkg_af485ef41c5811e88477d05099c0ae8c.nasl - Type: ACT_GATHER_INFO |
