PT-2023-22228 · Jizhicms · Jizhicms

Name of the Vulnerable Software and Affected Versions: JIZHICMS version 2.4.5 Description: A critical issue has been found, affecting the index function of the TemplateController.php file. The manipulation of the webapi argument leads to server-side request forgery, allowing for remote attacks...

CVE-2022-35413

WAPPLES through 6.0 has a hardcoded systemi account. A threat actor could use this account to access the system configuration and confidential information such as SSL keys via an HTTPS request to the /webapi/ URI on port 443 or 5001...

PT-2022-22814 · Wapples · Wapples

Name of the Vulnerable Software and Affected Versions: WAPPLES versions through 6.0 Description: A threat actor could use a hardcoded systemi account to access the system configuration and confidential information, such as SSL keys, via an HTTPS request to the "/webapi/" URI on port 443 or 5001...

CVE-2022-27621

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology USB Copy before 2.2.0-1086 allows remote authenticated users to read or write arbitrary files via unspecified vectors...

CVE-2022-27620

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology SSO Server before 2.2.3-0331 allows remote authenticated users to read arbitrary files via unspecified vectors...

Path traversal

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors...

Path traversal

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology Storage Analyzer before 2.1.0-0390 allows remote authenticated users to delete arbitrary files via unspecified vectors...

Path traversal

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology SSO Server before 2.2.3-0331 allows remote authenticated users to read arbitrary files via unspecified vectors...

CVE-2022-27617

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors...

CVE-2022-27616

Improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability in webapi component in Synology DiskStation Manager DSM before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors...

CVE-2022-27616

Improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability in webapi component in Synology DiskStation Manager DSM before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors...

PT-2022-18526 · Synology · Synology Sso Server

Name of the Vulnerable Software and Affected Versions: Synology SSO Server versions prior to 2.2.3-0331 Description: The issue is related to a Path Traversal vulnerability in the webapi component, allowing remote authenticated users to read arbitrary files via unspecified vectors. Recommendations...

Vulnerabilities fixed in Synology products

Synology has fixed vulnerabilities in multiple products. The vulnerabilities allow a malicious party to launch attacks the following categories of damage: Manipulation of data Remote code execution Application rights Access to sensitive data Synology rated the vulnerability with attribute...

PT-2022-18522 · Synology · Synology Calendar

Name of the Vulnerable Software and Affected Versions: Synology Calendar versions prior to 2.3.4-0631 Description: The issue is related to an improper limitation of a pathname to a restricted directory, also known as a 'Path Traversal' vulnerability, in the webapi component. This allows remote...

PT-2022-18521 · Synology · Synology Diskstation Manager

Name of the Vulnerable Software and Affected Versions: Synology DiskStation Manager DSM versions prior to 7.0.1-42218-3 Description: The issue is related to improper neutralization of special elements used in an OS command, also known as 'OS Command Injection'. This allows remote authenticated...

CVE-2022-27620

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology SSO Server before 2.2.3-0331 allows remote authenticated users to read arbitrary files via unspecified vectors...

CVE-2022-27618

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology Storage Analyzer before 2.1.0-0390 allows remote authenticated users to delete arbitrary files via unspecified vectors...

Path traversal

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology Audio Station before 6.5.4-3367 allows remote authenticated users to delete arbitrary files via unspecified vectors...

CVE-2022-22685

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology WebDAV Server before 2.4.0-0062 allows remote authenticated users to delete arbitrary files via unspecified vectors...

CVE-2022-27613

Improper neutralization of special elements used in an SQL command 'SQL Injection' vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified vectors...