Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted βX-Forwarded-Forβ header.
[
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 6.5.3-3226"
}
]
}
]