Skip to main content

Diskstation Manager Unified Controller

20 CVEs product

Monthly

CVE-2024-5401 MEDIUM PATCH This Month

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

Synology Information Disclosure Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-45539 HIGH PATCH This Week

Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

Buffer Overflow Synology Memory Corruption Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-45538 CRITICAL PATCH Act Now

Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

Synology CSRF RCE Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2023-2729 HIGH This Week

Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Synology Diskstation Manager Unified Controller Router Manager Diskstation Manager
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-0142 HIGH This Week

Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Synology Diskstation Manager Unified Controller Router Manager Diskstation Manager
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2022-22687 CRITICAL Act Now

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology RCE Buffer Overflow Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
9.8
EPSS
2.3%
CVE-2021-29087 HIGH This Week

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Path Traversal Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-29086 HIGH This Week

Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Information Disclosure Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-29085 HIGH This Week

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Code Injection Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-29084 HIGH This Week

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Code Injection Diskstation Manager Diskstation Manager Unified Controller
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-27649 CRITICAL Act Now

Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology RCE Memory Corruption Use After Free Denial Of Service +2
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2021-26567 HIGH PATCH This Week

Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow RCE Stack Overflow Diskstation Manager Vs960Hd Firmware +3
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-26566 CRITICAL POC Act Now

Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager Vs960Hd Firmware Skynas Firmware +1
NVD
CVSS 3.1
9.0
EPSS
1.4%
CVE-2021-26565 MEDIUM POC This Month

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager Vs960Hd Firmware Skynas Firmware +1
NVD
CVSS 3.1
5.9
EPSS
0.7%
CVE-2021-26564 HIGH POC This Week

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager Vs960Hd Firmware Skynas Firmware +1
NVD
CVSS 3.1
8.7
EPSS
0.6%
CVE-2021-26563 MEDIUM POC This Month

Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Synology RCE Authentication Bypass Diskstation Manager Vs960Hd Firmware +2
NVD
CVSS 3.1
6.7
EPSS
0.5%
CVE-2021-26562 HIGH POC This Week

Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Synology RCE Memory Corruption Diskstation Manager +3
NVD
CVSS 3.1
8.1
EPSS
1.7%
CVE-2021-26561 HIGH POC This Week

Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Synology RCE Stack Overflow Diskstation Manager +3
NVD
CVSS 3.1
8.1
EPSS
1.9%
CVE-2021-26560 HIGH POC This Week

Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager Vs960Hd Firmware Skynas Firmware +1
NVD
CVSS 3.1
7.4
EPSS
0.7%
CVE-2021-3156 HIGH POC KEV PATCH THREAT Act Now

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Privilege Escalation Sudo Fedora Debian Linux +21
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
99.3%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

Synology Information Disclosure Diskstation Manager +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

Buffer Overflow Synology Memory Corruption +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

Synology CSRF RCE +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Synology Diskstation Manager Unified Controller +2
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Synology Diskstation Manager Unified Controller +2
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology RCE Buffer Overflow +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Path Traversal Diskstation Manager +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Information Disclosure Diskstation Manager +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Code Injection Diskstation Manager +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Code Injection Diskstation Manager +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology RCE Memory Corruption +4
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow RCE Stack Overflow +5
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL POC Act Now

Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager +3
NVD
EPSS 1% CVSS 5.9
MEDIUM POC This Month

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager +3
NVD
EPSS 1% CVSS 8.7
HIGH POC This Week

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager +3
NVD
EPSS 1% CVSS 6.7
MEDIUM POC This Month

Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Synology RCE Authentication Bypass +4
NVD
EPSS 2% CVSS 8.1
HIGH POC This Week

Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Synology RCE +5
NVD
EPSS 2% CVSS 8.1
HIGH POC This Week

Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Buffer Overflow Synology RCE +5
NVD
EPSS 1% CVSS 7.4
HIGH POC This Week

Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Synology Information Disclosure Diskstation Manager +3
NVD
EPSS 99% CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via "sudoedit -s" and a command-line argument that ends. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Privilege Escalation Sudo +23
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy