| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of DSM
Linux kernel: privilege escalation via Ptrace Hardware Breakpoint Settings
Synthesis of the vulnerability
An attacker can bypass restrictions via Ptrace Hardware Breakpoint Settings of the Linux kernel, in order to escalate his privileges.
Impacted products: Debian, Android OS, QRadar SIEM, Linux, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 02/05/2018.
Identifiers: CERTFR-2018-AVI-226, CERTFR-2018-AVI-228, CERTFR-2018-AVI-256, CERTFR-2018-AVI-308, CERTFR-2018-AVI-319, CERTFR-2018-AVI-584, CVE-2018-1000199, DLA-1369-1, DSA-4187-1, DSA-4188-1, ibm10742755, openSUSE-SU-2018:1418-1, RHSA-2018:1318-01, RHSA-2018:1345-01, RHSA-2018:1347-01, RHSA-2018:1348-01, RHSA-2018:1354-01, RHSA-2018:1355-01, RHSA-2018:1374-01, SUSE-SU-2018:1366-1, SUSE-SU-2018:1368-1, SUSE-SU-2018:1374-1, SUSE-SU-2018:1375-1, SUSE-SU-2018:1376-1, SUSE-SU-2018:1816-1, SUSE-SU-2018:1846-1, SUSE-SU-2018:1855-1, Synology-SA-18:51, USN-3641-1, USN-3641-2, VIGILANCE-VUL-25999.
Description of the vulnerability
An attacker can bypass restrictions via Ptrace Hardware Breakpoint Settings of the Linux kernel, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
OpenSSL: information disclosure via RSA Constant Time Key Generation
Synthesis of the vulnerability
An attacker can bypass access restrictions to data via RSA Constant Time Key Generation of OpenSSL, in order to obtain sensitive information.
Impacted products: Debian, AIX, BladeCenter, IBM i, Juniper EX-Series, Juniper J-Series, Junos OS, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenBSD, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Solaris, Tuxedo, Oracle Virtual Directory, VirtualBox, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, XtraBackup, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 17/04/2018.
Identifiers: bulletinjul2018, CERTFR-2018-AVI-511, CERTFR-2018-AVI-607, cpuapr2019, cpujan2019, cpujul2019, cpuoct2018, CVE-2018-0737, DLA-1449-1, DSA-4348-1, DSA-4355-1, ibm10729805, ibm10743283, ibm10880781, JSA10919, openSUSE-SU-2018:2695-1, openSUSE-SU-2018:2957-1, openSUSE-SU-2018:3015-1, openSUSE-SU-2019:0152-1, openSUSE-SU-2019:1432-1, PAN-SA-2018-0015, RHSA-2018:3221-01, SSA:2018-226-01, SUSE-SU-2018:2486-1, SUSE-SU-2018:2492-1, SUSE-SU-2018:2683-1, SUSE-SU-2018:2928-1, SUSE-SU-2018:2965-1, SUSE-SU-2018:3864-1, SUSE-SU-2018:3864-2, SUSE-SU-2019:0197-1, SUSE-SU-2019:0512-1, SUSE-SU-2019:1553-1, TNS-2018-14, TNS-2018-17, TSB17568, USN-3628-1, USN-3628-2, USN-3692-1, USN-3692-2, VIGILANCE-VUL-25884.
Description of the vulnerability
An attacker can bypass access restrictions to data via RSA Constant Time Key Generation of OpenSSL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
Synology Calendar: privilege escalation
Synthesis of the vulnerability
An attacker can bypass restrictions of Synology Calendar, in order to escalate his privileges.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 29/03/2018.
Identifiers: Synology-SA-18:16, VIGILANCE-VUL-25720.
Description of the vulnerability
An attacker can bypass restrictions of Synology Calendar, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial) |
Synology Photo Station: multiple vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Synology Photo Station.
Impacted products: Synology DSM.
Severity: 3/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 29/03/2018.
Identifiers: CVE-2018-8925, CVE-2018-8926, Synology-SA-18:15, VIGILANCE-VUL-25719.
Description of the vulnerability
An attacker can use several vulnerabilities of Synology Photo Station.
Full Vigil@nce bulletin... (Free trial) |
OpenSSL: denial of service via Recursive ASN.1
Synthesis of the vulnerability
An attacker can generate a fatal error via Recursive ASN.1 of OpenSSL, in order to trigger a denial of service.
Impacted products: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Avamar, BIG-IP Hardware, TMOS, Fedora, AIX, IBM i, Rational ClearCase, QRadar SIEM, Tivoli Storage Manager, WebSphere MQ, MariaDB ~ precise, McAfee Email Gateway, MySQL Community, MySQL Enterprise, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Ubuntu, X2GoClient.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 27/03/2018.
Identifiers: 2015887, 524146, bulletinjan2019, CERTFR-2018-AVI-155, cpuapr2019, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-0739, DLA-1330-1, DSA-2018-125, DSA-4157-1, DSA-4158-1, FEDORA-2018-1b4f1158e2, FEDORA-2018-40dc8b8b16, FEDORA-2018-76afaf1961, FEDORA-2018-9490b422e7, ibm10715641, ibm10717211, ibm10717405, ibm10717409, ibm10719319, ibm10733605, ibm10738249, ibm10874728, K08044291, N1022561, openSUSE-SU-2018:0936-1, openSUSE-SU-2018:1057-1, openSUSE-SU-2018:2208-1, openSUSE-SU-2018:2238-1, openSUSE-SU-2018:2524-1, openSUSE-SU-2018:2695-1, PAN-SA-2018-0015, RHSA-2018:3090-01, RHSA-2018:3221-01, SA166, SB10243, SSA-181018, SUSE-SU-2018:0902-1, SUSE-SU-2018:0905-1, SUSE-SU-2018:0906-1, SUSE-SU-2018:0975-1, SUSE-SU-2018:2072-1, SUSE-SU-2018:2158-1, SUSE-SU-2018:2683-1, Synology-SA-18:51, USN-3611-1, USN-3611-2, VIGILANCE-VUL-25666.
Description of the vulnerability
An attacker can generate a fatal error via Recursive ASN.1 of OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Synology DSM: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of Synology DSM, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 27/03/2018.
Identifiers: CVE-2018-8917, CVE-2018-8919, CVE-2018-8920, Synology-SA-18:14, VIGILANCE-VUL-25664.
Description of the vulnerability
The Synology DSM product offers a web service.
However, it does not filter received data before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting of Synology DSM, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Synology Office: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of Synology Office, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/03/2018.
Identifiers: CVE-2018-8924, Synology-SA-18:12, VIGILANCE-VUL-25652.
Description of the vulnerability
The Synology Office product offers a web service.
However, it does not filter received data before inserting them in generated HTML documents.
An attacker can therefore trigger a Cross Site Scripting of Synology Office, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Synology Drive: multiple vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Synology Drive.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 21/03/2018.
Identifiers: CVE-2018-8921, CVE-2018-8922, Synology-SA-18:11, VIGILANCE-VUL-25614.
Description of the vulnerability
An attacker can use several vulnerabilities of Synology Drive.
Full Vigil@nce bulletin... (Free trial) |
Synology CardDAV Server: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of Synology CardDAV Server, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2018.
Identifiers: CVE-2018-8928, Synology-SA-18:10, VIGILANCE-VUL-25603.
Description of the vulnerability
An attacker can trigger a Cross Site Scripting of Synology CardDAV Server, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Synology File Station: Cross Site Scripting
Synthesis of the vulnerability
An attacker can trigger a Cross Site Scripting of Synology File Station, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2018.
Identifiers: CVE-2018-8923, Synology-SA-18:09, VIGILANCE-VUL-25602.
Description of the vulnerability
An attacker can trigger a Cross Site Scripting of Synology File Station, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about DSM:
|