57 matches found
CVE-2025-13392
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager DSM before 7.2.2-72806-5 and 7.3.1-86003-1 7.2.1-69057 is not affected allows remote attackers to bypass authentication with prior knowledge of the distinguished name DN...
CVE-2025-13392
Summary : CVE-2025-13392 affects Synology DiskStation Manager (DSM) via an improper check in the SSO authentication flow, enabling remote authentication bypass with knowledge of a DN. Affected versions : DSM before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected). Impact : local/remo...
PT-2026-33604
CVE-2026-40530, CVE-2026-4036, and others: Vulnerabilities in Synology DSM, up to 8.0 rating 🔥 Several vulnerabilities in Synology DiskStation Manager DSM allow remote authenticated attacker to read or write files, conduct denial-of-service attacks, and obtain information, including arbitrary...
CVE-2024-45538
Cross-Site Request Forgery CSRF vulnerability in WebAPI Framework in Synology DiskStation Manager DSM before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller DSMUC before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors...
EUVD-2021-14395
Malware in sbrugna...
Synology DSM Use of a Broken or Risky Cryptographic Algorithm (CVE-2020-27653)
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager DSM before 6.2.325426 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. This plugin only works with Tenable.ot. Please visit...
Synology DSM HTTP/2 Implementations Allocation of Resources Without Limits or Throttling (CVE-2019-9515)
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost...
Synology DSM HTTP/2 Implementations Allocation of Resources Without Limits or Throttling (CVE-2019-9516)
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory fo...
Synology DSM HTTP/2 Implementations Window Size and Stream Prioritization Manipulation (CVE-2019-9511)
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority ...
CVE-2023-2729
Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager DSM before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors...
SUSE CVE-2015-2809
The Multicast DNS mDNS responder in Synology DiskStation Manager DSM before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service traffic amplification or obtain potentially sensitive information via...
Synology DiskStation Manager (DSM) Multiple Samba Vulnerabilities (Synology-SA-22:10)
Synology DiskStation Manager DSM is prone to multiple vulnerabilities in Samba. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
Synology DiskStation Manager (DSM) 6.2.x, 7.0.x OpenSSL Vulnerability (Synology-SA-22:04)
Synology DiskStation Manager DSM is prone to a denial of service DoS vulnerability in OpenSSL. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...
CVE-2022-27622
Server-Side Request Forgery SSRF vulnerability in Package Center functionality in Synology DiskStation Manager DSM before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors...
Synology NAS / DiskStation Manager (DSM) Detection Consolidation
Consolidation of Synology NAS devices, DiskStation Manager DSM OS and application detections. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...
CVE-2022-27625
A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band OOB Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology...
Race condition
A vulnerability regarding concurrent execution using shared resource with improper synchronization 'Race Condition' is found in the session processing functionality of Out-of-Band OOB Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following...
CVE-2022-22687
Buffer copy without checking size of input 'Classic Buffer Overflow' vulnerability in Authentication functionality in Synology DiskStation Manager DSM before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors...
CVE-2022-22688
CVE-2022-22688 is a vulnerability in Synology DiskStation Manager (DSM) File service where improper neutralization of special command elements enables a remote authenticated user to execute arbitrary commands. Affected software: DSM versions prior to 6.2.4-25556-2. Root cause: inadequate filterin...
CVE-2021-43927
Improper neutralization of special elements used in an SQL command 'SQL Injection' vulnerability in Security Management functionality in Synology DiskStation Manager DSM before 7.0.1-42218-2 allows remote attackers to inject SQL commands via unspecified vectors...