This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Synology First view 2017-08-28
Product Router Manager Last view 2020-10-29
Version 1.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:synology:router_manager

Activity : Overall

Related : CVE

  Date Alert Description
6.1 2020-10-29 CVE-2020-27658

Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

5.9 2020-10-29 CVE-2020-27657

Cleartext transmission of sensitive information vulnerability in DDNS in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.

10 2020-10-29 CVE-2020-27655

Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.

9.8 2020-10-29 CVE-2020-27654

Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.

8.3 2020-10-29 CVE-2020-27653

Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.

8.1 2020-10-29 CVE-2020-27651

Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

9 2020-10-29 CVE-2020-27649

Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

7.5 2020-05-04 CVE-2019-11823

CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.

4.3 2019-04-01 CVE-2018-13292

Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to obtain sensitive information via the world readable configuration.

4.3 2019-04-01 CVE-2018-13290

Information exposure vulnerability in SYNO.Core.ACL in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote authenticated users to determine the existence of files or obtain sensitive information of files via the file_path parameter.

5.3 2019-04-01 CVE-2018-13289

Information exposure vulnerability in SYNO.FolderSharing.List in Synology Router Manager (SRM) before 1.1.7-6941-2 allows remote attackers to obtain sensitive information via the (1) folder_path or (2) real_path parameter.

6.5 2019-04-01 CVE-2018-13287

Incorrect default permissions vulnerability in synouser.conf in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.

8.8 2019-04-01 CVE-2018-13285

Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.

5.4 2018-12-24 CVE-2018-8918

Cross-site scripting (XSS) vulnerability in info.cgi in Synology Router Manager (SRM) before 1.1.7-6941 allows remote attackers to inject arbitrary web script or HTML via the host parameter.

9.8 2018-12-20 CVE-2018-1160

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

7.2 2018-06-08 CVE-2017-12078

Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter.

7.5 2018-03-06 CVE-2018-7185

The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.

7.5 2018-03-06 CVE-2018-7184

ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.

5.3 2018-03-06 CVE-2018-7170

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.

5.6 2018-01-04 CVE-2017-5753

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

6.5 2017-12-08 CVE-2017-15895

Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.

4.9 2017-08-28 CVE-2017-12077

Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.

CWE : Common Weakness Enumeration

%idName
21% (4) CWE-200 Information Exposure
10% (2) CWE-269 Improper Privilege Management
5% (1) CWE-787 Out-of-bounds Write
5% (1) CWE-732 Incorrect Permission Assignment for Critical Resource
5% (1) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
5% (1) CWE-327 Use of a Broken or Risky Cryptographic Algorithm
5% (1) CWE-319 Cleartext Transmission of Sensitive Information
5% (1) CWE-311 Missing Encryption of Sensitive Data
5% (1) CWE-295 Certificate Issues
5% (1) CWE-276 Incorrect Default Permissions
5% (1) CWE-125 Out-of-bounds Read
5% (1) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
5% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...
5% (1) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
5% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

Snort® IPS/IDS

Date Description
2019-09-17 Netatalk attn_quantum authentication bypass attempt
RuleID : 51045 - Type : SERVER-OTHER - Revision : 1
2018-05-22 Multiple Vendors NTP zero-origin timestamp denial of service attempt
RuleID : 46387 - Type : SERVER-OTHER - Revision : 3
2018-02-20 Intel x64 side-channel analysis information leak attempt
RuleID : 45444 - Type : OS-OTHER - Revision : 2
2018-02-20 Intel x64 side-channel analysis information leak attempt
RuleID : 45443 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x64 side-channel analysis information leak attempt
RuleID : 45368 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x64 side-channel analysis information leak attempt
RuleID : 45367 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45366 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45365 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45364 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45363 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45362 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45361 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45360 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45359 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45358 - Type : OS-OTHER - Revision : 2
2018-02-06 Intel x86 side-channel analysis information leak attempt
RuleID : 45357 - Type : OS-OTHER - Revision : 2

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-e585e25b72.nasl - Type: ACT_GATHER_INFO
2018-12-24 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2018-355-01.nasl - Type: ACT_GATHER_INFO
2018-12-21 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4356.nasl - Type: ACT_GATHER_INFO
2018-12-20 Name: A file sharing service on the remote host is affected by a remote code execut...
File: netatalk_open_session_bof.nasl - Type: ACT_ATTACK
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL91229003.nasl - Type: ACT_GATHER_INFO
2018-10-31 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201810-06.nasl - Type: ACT_GATHER_INFO
2018-09-20 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1083.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote EulerOS Virtualization host is missing multiple security updates.
File: EulerOS_SA-2018-1236.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0167.nasl - Type: ACT_GATHER_INFO
2018-08-17 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-1_0-0098.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-2_0-0011.nasl - Type: ACT_GATHER_INFO
2018-07-20 Name: The remote Debian host is missing a security update.
File: debian_DLA-1423.nasl - Type: ACT_GATHER_INFO
2018-07-16 Name: The remote Debian host is missing a security update.
File: debian_DLA-1422.nasl - Type: ACT_GATHER_INFO
2018-05-29 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201805-12.nasl - Type: ACT_GATHER_INFO
2018-05-11 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO
2018-05-11 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1009.nasl - Type: ACT_GATHER_INFO
2018-05-03 Name: The remote Debian host is missing a security update.
File: debian_DLA-1369.nasl - Type: ACT_GATHER_INFO
2018-05-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4188.nasl - Type: ACT_GATHER_INFO
2018-05-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4187.nasl - Type: ACT_GATHER_INFO
2018-04-18 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-956.nasl - Type: ACT_GATHER_INFO
2018-03-29 Name: The remote FreeBSD host is missing a security-related update.
File: freebsd_pkg_1ce95bc7327811e8b52700012e582166.nasl - Type: ACT_GATHER_INFO
2018-03-15 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-0512.nasl - Type: ACT_GATHER_INFO
2018-03-09 Name: The remote NTP server is affected by multiple vulnerabilities.
File: ntp_4_2_8p11.nasl - Type: ACT_GATHER_INFO
2018-03-02 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2018-060-02.nasl - Type: ACT_GATHER_INFO
2018-02-28 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_af485ef41c5811e88477d05099c0ae8c.nasl - Type: ACT_GATHER_INFO