The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of DSM

computer vulnerability note CVE-2017-16771

Synology Photo Station: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Synology Photo Station.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: intranet client.
Creation date: 10/01/2018.
Identifiers: CVE-2017-16771, Synology-SA-18:02, VIGILANCE-VUL-24999.

Description of the vulnerability

An attacker can use several vulnerabilities of Synology Photo Station.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-5754

Intel Processors: memory reading via Meltdown

Synthesis of the vulnerability

When the system uses an Intel processor, a local attacker can access to the kernel memory, in order to read sensitive information.
Impacted products: SNS, iOS by Apple, iPhone, Mac OS X, Blue Coat CAS, Cisco ASR, Cisco Catalyst, Nexus by Cisco, NX-OS, Cisco Router, Cisco UCS, XenServer, Debian, Avamar, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, FortiAnalyzer, FortiGate, FortiManager, FortiOS, FreeBSD, Android OS, AIX, IBM i, QRadar SIEM, Juniper J-Series, Junos OS, Junos Space, NSMXpress, Linux, McAfee Email Gateway, McAfee NSM, McAfee NTBA, McAfee Web Gateway, Meinberg NTP Server, Edge, IE, SQL Server, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, OpenBSD, openSUSE Leap, Oracle Communications, pfSense, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, RHEL, SIMATIC, Slackware, Sonus SBC, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, Synology DSM, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive, vCenter Server, Xen.
Severity: 2/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 03/01/2018.
Revision date: 05/01/2018.
Identifiers: 2016636, 519675, ADV180002, CERTFR-2018-ALE-001, CERTFR-2018-AVI-004, CERTFR-2018-AVI-005, CERTFR-2018-AVI-009, CERTFR-2018-AVI-012, CERTFR-2018-AVI-014, CERTFR-2018-AVI-017, CERTFR-2018-AVI-018, CERTFR-2018-AVI-029, CERTFR-2018-AVI-048, CERTFR-2018-AVI-049, CERTFR-2018-AVI-077, CERTFR-2018-AVI-079, CERTFR-2018-AVI-114, CERTFR-2018-AVI-124, CERTFR-2018-AVI-134, CERTFR-2018-AVI-208, CERTFR-2018-AVI-225, cisco-sa-20180104-cpusidechannel, cpuapr2019, CTX231390, CTX231399, CTX234679, CVE-2017-5754, DLA-1232-1, DLA-1349-1, DSA-2018-049, DSA-4078-1, DSA-4082-1, DSA-4120-1, DSA-4120-2, DSA-4179-1, FG-IR-18-002, FreeBSD-SA-18:03.speculative_execution, HT208331, HT208334, HT208394, HT208465, JSA10842, JSA10873, K91229003, MBGSA-1801, Meltdown, N1022433, nas8N1022433, openSUSE-SU-2018:0022-1, openSUSE-SU-2018:0023-1, openSUSE-SU-2018:0326-1, openSUSE-SU-2018:0459-1, openSUSE-SU-2018:1623-1, RHSA-2018:0007-01, RHSA-2018:0008-01, RHSA-2018:0009-01, RHSA-2018:0010-01, RHSA-2018:0011-01, RHSA-2018:0012-01, RHSA-2018:0013-01, RHSA-2018:0014-01, RHSA-2018:0015-01, RHSA-2018:0016-01, RHSA-2018:0017-01, RHSA-2018:0018-01, RHSA-2018:0020-01, RHSA-2018:0021-01, RHSA-2018:0022-01, RHSA-2018:0023-01, RHSA-2018:0024-01, RHSA-2018:0025-01, RHSA-2018:0026-01, RHSA-2018:0027-01, RHSA-2018:0028-01, RHSA-2018:0029-01, RHSA-2018:0030-01, RHSA-2018:0031-01, RHSA-2018:0032-01, RHSA-2018:0034-01, RHSA-2018:0035-01, RHSA-2018:0036-01, RHSA-2018:0037-01, RHSA-2018:0038-01, RHSA-2018:0039-01, RHSA-2018:0040-01, RHSA-2018:0053-01, RHSA-2018:0093-01, RHSA-2018:0094-01, RHSA-2018:0103-01, RHSA-2018:0104-01, RHSA-2018:0105-01, RHSA-2018:0106-01, RHSA-2018:0107-01, RHSA-2018:0108-01, RHSA-2018:0109-01, RHSA-2018:0110-01, RHSA-2018:0111-01, RHSA-2018:0112-01, RHSA-2018:0182-01, RHSA-2018:0292-01, RHSA-2018:0464-01, RHSA-2018:0496-01, RHSA-2018:0512-01, RHSA-2018:1129-01, RHSA-2018:1196-01, SA161, SB10226, spectre_meltdown_advisory, SSA-168644, SSA:2018-016-01, SSA:2018-037-01, STORM-2018-001, SUSE-SU-2018:0010-1, SUSE-SU-2018:0011-1, SUSE-SU-2018:0012-1, SUSE-SU-2018:0031-1, SUSE-SU-2018:0040-1, SUSE-SU-2018:0069-1, SUSE-SU-2018:0115-1, SUSE-SU-2018:0131-1, SUSE-SU-2018:0171-1, SUSE-SU-2018:0219-1, SUSE-SU-2018:0438-1, SUSE-SU-2018:0472-1, SUSE-SU-2018:0601-1, SUSE-SU-2018:0609-1, SUSE-SU-2018:0638-1, SUSE-SU-2018:0678-1, SUSE-SU-2018:0909-1, SUSE-SU-2018:1603-1, SUSE-SU-2018:1658-1, SUSE-SU-2018:1699-1, SUSE-SU-2018:2528-1, Synology-SA-18:01, USN-3516-1, USN-3522-1, USN-3522-2, USN-3522-3, USN-3522-4, USN-3523-1, USN-3523-2, USN-3523-3, USN-3524-1, USN-3524-2, USN-3525-1, USN-3540-1, USN-3540-2, USN-3541-1, USN-3541-2, USN-3583-1, USN-3583-2, USN-3597-1, USN-3597-2, VIGILANCE-VUL-24933, VMSA-2018-0007, VN-2018-001, VN-2018-002, VU#584653, XSA-254.

Description of the vulnerability

When the system uses an Intel processor, a local attacker can access to the kernel memory, in order to read sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-16768

Synology MailPlus Server: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology MailPlus Server, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/12/2017.
Identifiers: CVE-2017-16768, Synology-SA-17:81, VIGILANCE-VUL-24900.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology MailPlus Server, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-12072

Synology Photo Station: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology Photo Station, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/12/2017.
Identifiers: CVE-2017-12072, Synology-SA-17:80, VIGILANCE-VUL-24849.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology Photo Station, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-12078

Synology SRM: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Synology SRM, in order to run code.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 19/12/2017.
Identifiers: CVE-2017-12078, Synology-SA-17:79, VIGILANCE-VUL-24823.

Description of the vulnerability

An attacker can use a vulnerability of Synology SRM, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-15886 CVE-2017-15892

Synology Chat: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology Chat, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/12/2017.
Identifiers: CVE-2017-15886, CVE-2017-15892, Synology-SA-17:78, VIGILANCE-VUL-24799.

Description of the vulnerability

The Synology Chat product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology Chat, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-17712

Linux kernel: memory corruption via raw_sendmsg

Synthesis of the vulnerability

An attacker can generate a memory corruption via raw_sendmsg() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, Android OS, Linux, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 18/12/2017.
Identifiers: CERTFR-2018-AVI-075, CERTFR-2018-AVI-080, CERTFR-2018-AVI-094, CERTFR-2018-AVI-124, CERTFR-2018-AVI-196, CVE-2017-17712, DSA-4073-1, FEDORA-2017-7810b7c59f, FEDORA-2017-f7cb245861, FEDORA-2018-884a105c04, LSN-0035-1, openSUSE-SU-2018:0408-1, RHSA-2018:0502-01, SUSE-SU-2018:0383-1, SUSE-SU-2018:0416-1, SUSE-SU-2018:0986-1, Synology-SA-18:14, USN-3581-1, USN-3581-2, USN-3581-3, USN-3582-1, USN-3582-2, VIGILANCE-VUL-24787.

Description of the vulnerability

An attacker can generate a memory corruption via raw_sendmsg() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-0861

Linux kernel: use after free via snd_pcm_control_ioctl

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via snd_pcm_control_ioctl() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Junos Space, Linux, Oracle Communications, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 14/12/2017.
Identifiers: CERTFR-2018-AVI-165, CERTFR-2018-AVI-170, CERTFR-2018-AVI-198, CERTFR-2018-AVI-206, CERTFR-2018-AVI-224, CERTFR-2018-AVI-232, CERTFR-2018-AVI-241, CERTFR-2018-AVI-386, cpuapr2019, CVE-2017-0861, DLA-1369-1, DSA-4187-1, JSA10917, RHSA-2018:2390-01, RHSA-2018:3083-01, RHSA-2018:3096-01, SUSE-SU-2018:1080-1, SUSE-SU-2018:1172-1, SUSE-SU-2018:1220-1, SUSE-SU-2018:1221-1, SUSE-SU-2018:1309-1, Synology-SA-18:51, USN-3583-1, USN-3583-2, USN-3617-1, USN-3617-2, USN-3617-3, USN-3619-1, USN-3619-2, USN-3632-1, VIGILANCE-VUL-24772.

Description of the vulnerability

An attacker can force the usage of a freed memory area via snd_pcm_control_ioctl() of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 24741

Synology Surveillance Station: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Synology Surveillance Station.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 12/12/2017.
Identifiers: Synology-SA-17:77, VIGILANCE-VUL-24741.

Description of the vulnerability

An attacker can use several vulnerabilities of Synology Surveillance Station.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-15895

Synology Router Manager: directory traversal

Synthesis of the vulnerability

An attacker can traverse directories of Synology Router Manager, in order to create a file outside the service root path.
Impacted products: Synology DSM, Synology DS***, Synology RS***.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 11/12/2017.
Identifiers: CVE-2017-15895, Synology-SA-17:71, VIGILANCE-VUL-24725.

Description of the vulnerability

An attacker can traverse directories of Synology Router Manager, in order to create a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about DSM: