Skip to main content

Download Station CVE-2021-34809

HIGH
Command Injection (CWE-77)
2021-06-18 security@synology.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 18, 2021 - 03:15 nvd
HIGH 8.8

DescriptionNVD

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.

AnalysisAI

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. Affected products include: Synology Download Station. Version information: before 3.8.16.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

CVE-2021-34810 HIGH
8.8 Jun 18

Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remo

CVE-2015-6909 MEDIUM POC
4.3 Sep 11

Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Stat

CVE-2015-6913 MEDIUM POC
4.3 Sep 11

Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station befo

CVE-2017-11156 HIGH
7.8 Aug 14

Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsear

CVE-2021-33184 HIGH
7.7 Jun 01

Server-Side request forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.15

CVE-2024-38640 HIGH
7.0 Sep 06

A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. Rated high severity (CVSS 7.0),

CVE-2017-11149 MEDIUM
6.5 Aug 14

Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and

CVE-2021-34811 MEDIUM
4.3 Jun 18

Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16

CVE-2025-58465 LOW
2.2 Nov 07

A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. Rated low severity (CVSS 2.2),

CVE-2025-58463 LOW
2.3 Nov 07

A relative path traversal vulnerability has been reported to affect Download Station. Rated low severity (CVSS 2.3), thi

CVE-2024-0354 MEDIUM
5.3 Jan 10

A vulnerability, which was classified as critical, has been found in unknown-o download-station up to 1.1.8.php. Rated m

Share

CVE-2021-34809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy