Skip to main content

Synology

Vendor security scorecard – 265 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 1135
265
CVEs
40
Critical
95
High
0
KEV
42
PoC
118
Unpatched C/H
15.8%
Patch Rate
2.2%
Avg EPSS

Severity Breakdown

CRITICAL
40
HIGH
95
MEDIUM
123
LOW
7

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2013-6955 webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files,. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 83.3%. CRITICAL 10.0 83.3% 168
PoC No patch
CVE-2017-15889 Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 62.4%. HIGH 8.8 62.4% 141
PoC No patch
CVE-2017-9554 An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 57.9%. MEDIUM 5.3 57.9% 104
PoC No patch
CVE-2015-6912 Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 29.7%. CRITICAL 10.0 29.7% 100
PoC No patch
CVE-2013-6987 Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 30.2%. HIGH 7.5 30.2% 88
PoC No patch
CVE-2017-11155 An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.5%. HIGH 7.5 29.5% 87
PoC No patch
CVE-2017-11153 Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 15.1%. CRITICAL 9.8 15.1% 84
PoC No patch
CVE-2017-11151 A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.8%. CRITICAL 9.8 14.8% 84
PoC No patch
CVE-2016-10329 Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.3%. CRITICAL 9.8 11.3% 80
PoC No patch
CVE-2017-11152 Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.1%. HIGH 7.5 14.1% 72
PoC No patch
CVE-2020-27655 Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 10.0 1.7% 70
PoC No patch
CVE-2020-27654 Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 4.6% 69
PoC No patch
CVE-2020-27660 SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. CRITICAL 9.8 4.6% 69
PoC No patch
CVE-2024-10443 Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. CRITICAL 9.8 28.4% 69
PoC No patch
CVE-2016-10322 Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available. HIGH 8.8 2.8% 67
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy