diskstation manager · threatengine.sh

Home/Product/synology diskstation manager

Product

synology diskstation manager

96 known vulnerabilities across versions

Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.

Sort Min CVSS Published since

>= 7.2.1-69057 and < 7.2.1-69057-2

Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) bef

>= 7.2.1-69057 and < 7.2.1-69057-2

Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and

>= 7.2.1-69057 and < 7.2.1-69057-2

Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and

>= 7.1 and < 7.1.1-42962-8

Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.

>= 7.1 and < 7.1.1-42962-7

Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and

>= 6.2 and < 6.2.4-25556-8

Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Syn

>= 7.1 and < 7.1.1-42962-8

Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.

>= 7.2 and < 7.2-64570-4

Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374

< 7.2.1-69057-2

URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) b

>= 6.2 and < 7.2-64561

Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.

>= 6.2 and < 7.1-42661

Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2

Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM)

Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-

< 7.1.1-42962-2

A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. Thi

< 7.1.1-42962-2

A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in

< 7.1.1-42962-2

A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processi

< 7.1.1-42962-2

A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryptio

>= 6.2 and < 6.2.4-25556-5

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Sy

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management compon

>= 6.2 and < 6.2.3-25423

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskS

>= 6.2 and < 6.2.4-25556-2

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in File service functionality in

>= 6.2 and < 6.2.3-25426-3

Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in Authentication functionality in Synology D

>= 6.2 and < 6.2.4-25556.4

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients

>= 6.2 and < 6.2.4-25556-3

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Syno

>= 6.2 and < 6.2.4-25556-3

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow mana

>= 6.2 and < 6.2.4-25556-3

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Security Management function

>= 6.2 and < 6.2.4-25556-3

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality

>= 6.2 and < 6.2.4-25556-3

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log Management functionality

>= 6.2 and < 6.2.4-25556-3

Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) befor

>= 6.2 and < 6.2.3-25426-3

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskS

>= 6.2 and < 6.2.3-25426-3

Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM)

>= 6.2 and < 6.2.3-25426-3

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing m

>= 6.2 and < 6.2.3-25426-3

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advis

>= 6.2 and < 6.2.3-25426-3

Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology D

Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (D

>= 6.2 and < 6.2.3-25426-3

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation M

< 6.2.3-25426-3

Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM)

< 6.2.3-25426-3

Out-of-bounds Read vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows rem

< 6.2.3-25426-3

Use After Free vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote

< 6.2.3-25426-3

Race Condition within a Thread vulnerability in iscsi_snapshot_comm_core in Synology DiskStation Manager (DSM) before 6.2.3-25426-

< 6.2.3-25426-3

Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary co

< 6.2.3-25426-3

Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-2

< 6.2.3-25426-3

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-254

< 6.2.3-25426-3

Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-254

Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local

< 6.2.3-25426-3

Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-t

< 6.2.3-25426-3

Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows

< 6.2.3-25426-3

Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6

Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalatio

>= 6.2 and < 6.2.3-25426-2

Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 a

Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle atta

>= 6.2 and < 6.2.3-25426-2

Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-mid

>= 6.2 and < 6.2.3-25426-2

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, w

>= 6.2 and < 6.2.3-25426-2

Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows

There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker se

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. Th

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stre

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a s

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a numb

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates mul

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading

A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new

>= 5.2 and < 6.2.1-23824

Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 al

>= 5.2 and < 6.2.1-23824

Information exposure vulnerability in /usr/syno/etc/mount.conf in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows rem

>= 5.2 and < 5.2-5967-8

Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remot

>= 5.2 and < 5.2-5967-8

Command injection vulnerability in ftpd in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users

>= 5.2 and < 6.1.4-15217-3

Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.

Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows re

Information exposure vulnerability in SYNO.Core.Desktop.SessionData in Synology DiskStation Manager (DSM) before 6.1.6-15266 allow

Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attack

>= 5.2 and < 5.2-5967-9

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attack

>= 6.1 and < 6.1.7-15284-2

Information exposure vulnerability in SYNO.Core.ACL in Synology DiskStation Manager (DSM) before 6.2-23739-2 allows remote authent

Use of insufficiently random values vulnerability in SYNO.Encryption.GenRandomKey in Synology DiskStation Manager (DSM) before 6.2

Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote a

Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandl

>= 5.2 and < 6.1.6-15266

The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continuall

ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to c

>= 5.2 and < 6.1.6-15266

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create

>= 5.2 and < 6.2.2-24922

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of informatio

>= 6.1.0 and < 6.1.4-15217

An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.

>= 5.2 and < 5.2-5967-6

Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated u

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrar

Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088

<= 6.1.1-15101-4

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote

<= 6.1.1-15101-4

A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass th

Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to

The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with

Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attacker

The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 U

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 U

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin