Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.
[
{
"product": "Synology Photo Station",
"vendor": "Synology",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 6.5.3-3226"
}
]
}
]