Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-11822: Synology_SA_19_01 | Synology Inc.

Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

CVE
#sql#vulnerability#php#auth

Abstract

These vulnerabilities allow remote attackers to execute arbitrary SQL commands and remote authenticated users to upload arbitrary files via a susceptible version of Photo Station.

Affected Products

Product

Severity

Fixed Release Availability

Photo Station 6.8

Important

Upgrade to 6.8.11-3489 or above.

Photo Station 6.3

Important

Upgrade to 6.3-2977 or above.

Mitigation

None

Detail

  • CVE-2019-11821

    • Severity: Important
    • CVSS3 Base Score: 7.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    • SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
  • CVE-2019-11822

    • Severity: Moderate
    • CVSS3 Base Score: 4.3
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    • Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

Acknowledgement

Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Revision

Revision

Date

Description

1

2019-01-02

Initial public release.

2

2019-06-30

Disclosed vulnerability details.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907