Skip to main content

Photo Station

46 CVEs product

Monthly

CVE-2017-20210 CRITICAL Act Now

Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Photo Station
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-12923 LOW Monitor

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. No vendor patch available.

XSS Photo Station
NVD
CVSS 4.0
2.0
EPSS
0.1%
CVE-2024-32770 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-32769 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-32768 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-32767 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-27593 CRITICAL POC KEV THREAT Act Now

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Qnap Photo Station
NVD
CVSS 3.1
9.1
EPSS
87.9%
CVE-2022-22681 HIGH This Week

Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Synology Photo Station
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-34356 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-34355 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-34354 MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap XSS Photo Station
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-29089 CRITICAL Act Now

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology SQLi Photo Station
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-29091 MEDIUM This Month

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology Path Traversal Photo Station
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-29090 HIGH This Week

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology SQLi PHP Photo Station
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2021-29092 HIGH This Week

Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology RCE File Upload Photo Station
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2020-2491 MEDIUM This Month

This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2019-7195 CRITICAL POC KEV THREAT Act Now

This external control of file name or path vulnerability allows remote attackers to access or modify system files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Qnap Path Traversal Photo Station
NVD
CVSS 3.1
9.8
EPSS
89.7%
CVE-2019-7194 CRITICAL POC KEV THREAT Act Now

This external control of file name or path vulnerability allows remote attackers to access or modify system files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Qnap Path Traversal Photo Station
NVD
CVSS 3.1
9.8
EPSS
83.0%
CVE-2019-7192 CRITICAL POC KEV THREAT Act Now

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Qnap Photo Station
NVD
CVSS 3.1
9.8
EPSS
88.2%
CVE-2019-11822 MEDIUM This Month

Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Synology Photo Station
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2019-11821 CRITICAL Act Now

SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Synology PHP Photo Station
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2018-13282 MEDIUM This Month

Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Synology Photo Station
NVD
CVSS 3.0
6.3
EPSS
1.0%
CVE-2018-0715 MEDIUM POC This Month

Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qnap Photo Station
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
3.1%
CVE-2018-8926 HIGH This Week

Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Synology Photo Station
NVD
CVSS 3.0
8.8
EPSS
1.7%
CVE-2018-8925 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Synology PHP Photo Station
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-12072 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Synology PHP Photo Station
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-12080 MEDIUM This Month

An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Information Disclosure Photo Station
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2017-12079 HIGH This Week

Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Synology PHP Information Disclosure Photo Station
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-12071 MEDIUM This Month

Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Synology PHP Photo Station
NVD
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-11162 MEDIUM This Month

Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Synology Photo Station
NVD
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-11161 CRITICAL Act Now

Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php;. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology SQLi PHP Photo Station
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2017-9555 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Synology PHP Photo Station
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-11155 HIGH POC THREAT Act Now

An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%.

Synology PHP Information Disclosure Photo Station
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
29.5%
CVE-2017-11154 HIGH POC This Week

Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Synology PHP File Upload Photo Station
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
6.9%
CVE-2017-11153 CRITICAL POC THREAT Emergency

Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.1%.

Deserialization Synology PHP Photo Station
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
15.1%
CVE-2017-11152 HIGH POC THREAT Act Now

Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.1%.

Path Traversal Synology PHP Photo Station
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
14.1%
CVE-2017-11151 CRITICAL POC THREAT Emergency

A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.8%.

Synology Authentication Bypass PHP Photo Station
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
14.8%
CVE-2015-9102 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Synology Photo Station
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-9552 HIGH This Week

A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Synology Information Disclosure Photo Station
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2016-10331 HIGH POC This Week

Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Synology PHP Photo Station
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2016-10330 HIGH POC This Week

Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Synology Photo Station
NVD
CVSS 3.0
7.1
EPSS
0.1%
CVE-2016-10329 CRITICAL POC THREAT Emergency

Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.3%.

RCE Synology PHP Command Injection Photo Station
NVD
CVSS 3.0
9.8
EPSS
11.3%
CVE-2016-10323 HIGH POC This Week

Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Synology Privilege Escalation Photo Station
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2016-10322 HIGH POC This Week

Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Synology PHP Command Injection Photo Station
NVD
CVSS 3.0
8.8
EPSS
2.8%
CVE-2015-4656 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Synology PHP Photo Station
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2013-5760 MEDIUM POC This Month

QNAP Photo Station before firmware 4.0.3 build0912 allows remote attackers to list OS user accounts via a request to photo/p/api/list.php. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Qnap PHP Information Disclosure Photo Station Firmware Photo Station
NVD
CVSS 2.0
5.0
EPSS
0.2%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Photo Station
NVD
EPSS 0% CVSS 2.0
LOW Monitor

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. No vendor patch available.

XSS Photo Station
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
EPSS 88% CVSS 9.1
CRITICAL POC KEV THREAT Act Now

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Qnap Photo Station
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Synology +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap XSS Photo Station
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap XSS Photo Station
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Qnap XSS Photo Station
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology SQLi Photo Station
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology Path Traversal Photo Station
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology SQLi PHP +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Synology RCE File Upload +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

This cross-site scripting vulnerability in Photo Station allows remote attackers to inject malicious code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Photo Station
NVD
EPSS 90% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

This external control of file name or path vulnerability allows remote attackers to access or modify system files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Qnap Path Traversal Photo Station
NVD
EPSS 83% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

This external control of file name or path vulnerability allows remote attackers to access or modify system files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Qnap Path Traversal Photo Station
NVD
EPSS 88% CVSS 9.8
CRITICAL POC KEV THREAT Act Now

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Qnap Photo Station
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Synology Photo Station
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Synology PHP +1
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Synology +1
NVD
EPSS 3% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting vulnerability in QNAP Photo Station versions 5.7.0 and earlier could allow remote attackers to inject Javascript code in the compromised application. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Qnap Photo Station
NVD Exploit-DB
EPSS 2% CVSS 8.8
HIGH This Week

Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Synology Photo Station
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Synology PHP +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Synology PHP +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Information Disclosure Photo Station
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Synology PHP +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Synology PHP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Synology Photo Station
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php;. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology SQLi PHP +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Synology PHP +1
NVD
EPSS 29% CVSS 7.5
HIGH POC THREAT Act Now

An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%.

Synology PHP Information Disclosure +1
NVD Exploit-DB
EPSS 7% CVSS 7.2
HIGH POC This Week

Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Synology PHP File Upload +1
NVD Exploit-DB
EPSS 15% CVSS 9.8
CRITICAL POC THREAT Emergency

Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.1%.

Deserialization Synology PHP +1
NVD Exploit-DB
EPSS 14% CVSS 7.5
HIGH POC THREAT Act Now

Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.1%.

Path Traversal Synology PHP +1
NVD Exploit-DB
EPSS 15% CVSS 9.8
CRITICAL POC THREAT Emergency

A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.8%.

Synology Authentication Bypass PHP +1
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Synology Photo Station
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Synology Information Disclosure Photo Station
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Synology PHP +1
NVD
EPSS 0% CVSS 7.1
HIGH POC This Week

Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Synology Photo Station
NVD
EPSS 11% CVSS 9.8
CRITICAL POC THREAT Emergency

Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.3%.

RCE Synology PHP +2
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Synology Privilege Escalation Photo Station
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Synology PHP Command Injection +1
NVD
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Synology PHP +1
NVD
EPSS 0% CVSS 5.0
MEDIUM POC This Month

QNAP Photo Station before firmware 4.0.3 build0912 allows remote attackers to list OS user accounts via a request to photo/p/api/list.php. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Qnap PHP Information Disclosure +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy