Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Photo_station
(Synology)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 33 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-08-08 | CVE-2017-11154 | Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter. | Photo_station | 7.2 | ||
| 2017-08-08 | CVE-2017-11153 | Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. | Photo_station | 9.8 | ||
| 2017-08-08 | CVE-2017-11152 | Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. | Photo_station | 7.5 | ||
| 2017-08-08 | CVE-2017-11151 | A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. | Photo_station | 9.8 | ||
| 2017-05-12 | CVE-2016-10331 | Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter. | Photo_station | 7.5 | ||
| 2017-05-12 | CVE-2016-10329 | Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header. | Photo_station | 9.8 | ||
| 2017-06-30 | CVE-2015-9102 | Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos. | Photo_station | 5.4 | ||
| 2017-04-10 | CVE-2016-10323 | Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. | Photo_station | 7.8 | ||
| 2017-04-10 | CVE-2016-10322 | Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. | Photo_station | 8.8 | ||
| 2015-06-18 | CVE-2015-4656 | Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. | Photo_station | N/A |