Headline
CVE-2019-11822: Synology_SA_19_01 | Synology Inc.
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
Abstract
These vulnerabilities allow remote attackers to execute arbitrary SQL commands and remote authenticated users to upload arbitrary files via a susceptible version of Photo Station.
Affected Products
Product
Severity
Fixed Release Availability
Photo Station 6.8
Important
Upgrade to 6.8.11-3489 or above.
Photo Station 6.3
Important
Upgrade to 6.3-2977 or above.
Mitigation
None
Detail
CVE-2019-11821
- Severity: Important
- CVSS3 Base Score: 7.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
CVE-2019-11822
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
Acknowledgement
Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Revision
Revision
Date
Description
1
2019-01-02
Initial public release.
2
2019-06-30
Disclosed vulnerability details.