The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of DiskStation Manager

computer vulnerability note CVE-2018-5743

ISC BIND: measure against denial of service ineffective

Synthesis of the vulnerability

An attacker can bypass restrictions to the amount of simultaneous TCP connections to ISC BIND, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, BIND, RHEL, Slackware, Synology DSM, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 25/04/2019.
Identifiers: CERTFR-2019-AVI-187, CVE-2018-5743, DSA-4440-1, K74009656, RHSA-2019:1145-01, SSA:2019-116-01, Synology-SA-19:20, USN-3956-1, USN-3956-2, VIGILANCE-VUL-29129.

Description of the vulnerability

An attacker can bypass restrictions to the amount of simultaneous TCP connections to ISC BIND, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2019-6341

Drupal Core: Cross Site Scripting via File Module/Subsystem

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, I-Connect, Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2019.
Identifiers: CVE-2019-6341, DLA-1746-1, DRUPAL-SA-CORE-2019-004, DSA-4412-1, FEDORA-2019-2fbce03df3, FEDORA-2019-35589cfcb5, ibm10879443, Synology-SA-19:13, VIGILANCE-VUL-28786, ZDI-19-291.

Description of the vulnerability

The Core module can be installed on Drupal.

However, it does not filter received data via File Module/Subsystem before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via File Module/Subsystem of Drupal Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 28654

Synology DSM Office: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology DSM Office, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 05/03/2019.
Identifiers: Synology-SA-19:11, VIGILANCE-VUL-28654.

Description of the vulnerability

The Synology DSM Office product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology DSM Office, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-1559

OpenSSL 1.0.2: information disclosure via 0-byte Record Padding Oracle

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via 0-byte Record Padding Oracle of OpenSSL 1.0.2, in order to obtain sensitive information.
Impacted products: SDS, SES, SNS, Debian, AIX, IBM i, MariaDB ~ precise, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Solaris, Percona Server, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, WinSCP.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/02/2019.
Identifiers: bulletinapr2019, CERTFR-2019-AVI-080, CERTFR-2019-AVI-132, CERTFR-2019-AVI-214, cpuapr2019, CVE-2019-1559, DLA-1701-1, DSA-4400-1, ibm10876638, openSUSE-SU-2019:1076-1, openSUSE-SU-2019:1105-1, openSUSE-SU-2019:1173-1, openSUSE-SU-2019:1175-1, openSUSE-SU-2019:1432-1, SB10282, SSA:2019-057-01, SSB-439005, STORM-2019-001, SUSE-SU-2019:0572-1, SUSE-SU-2019:0600-1, SUSE-SU-2019:0658-1, SUSE-SU-2019:0803-1, SUSE-SU-2019:0818-1, TNS-2019-02, USN-3899-1, VIGILANCE-VUL-28600.

Description of the vulnerability

An attacker can bypass access restrictions to data via 0-byte Record Padding Oracle of OpenSSL 1.0.2, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-6465

ISC BIND: information disclosure via DLZ Zone Transfer

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via DLZ Zone Transfer of ISC BIND, in order to obtain sensitive information.
Impacted products: Debian, BIG-IP Hardware, TMOS, IBM i, BIND, Solaris, Synology DSM, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 22/02/2019.
Identifiers: bulletinapr2019, CVE-2019-6465, DLA-1697-1, DSA-4440-1, ibm10876698, K00040234, K01713115, K25244852, Synology-SA-19:10, USN-3893-1, USN-3893-2, VIGILANCE-VUL-28584.

Description of the vulnerability

An attacker can bypass access restrictions to data via DLZ Zone Transfer of ISC BIND, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-5745

ISC BIND: assertion error via Managed-keys Trust Anchor Rolls Over

Synthesis of the vulnerability

An attacker can force an assertion error via Managed-keys Trust Anchor Rolls Over of ISC BIND, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, IBM i, BIND, Solaris, Synology DSM, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet server.
Creation date: 22/02/2019.
Identifiers: bulletinapr2019, CVE-2018-5745, DLA-1697-1, DSA-4440-1, ibm10876698, K00040234, K01713115, K25244852, Synology-SA-19:10, USN-3893-1, USN-3893-2, VIGILANCE-VUL-28583.

Description of the vulnerability

An attacker can force an assertion error via Managed-keys Trust Anchor Rolls Over of ISC BIND, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 28541

Synology Note Station: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology Note Station, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: Synology-SA-19:08, VIGILANCE-VUL-28541.

Description of the vulnerability

The Synology Note Station product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology Note Station, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2019-5736

runc: code execution via FS Descriptors Container Escape

Synthesis of the vulnerability

An attacker can use a vulnerability via FS Descriptors Container Escape of runc, in order to run code.
Impacted products: Docker CE, Fedora, openSUSE Leap, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 11/02/2019.
Identifiers: CVE-2019-5736, FEDORA-2019-352d4b9cd8, FEDORA-2019-3f19f13ecd, FEDORA-2019-4dc1e39b34, FEDORA-2019-6174b47003, FEDORA-2019-829524f28f, FEDORA-2019-963ea958f9, FEDORA-2019-a5f616808e, FEDORA-2019-bc70b381ad, FEDORA-2019-df2e68aa6b, FEDORA-2019-f455ef79b8, openSUSE-SU-2019:0170-1, openSUSE-SU-2019:0201-1, openSUSE-SU-2019:0208-1, openSUSE-SU-2019:0252-1, openSUSE-SU-2019:0295-1, openSUSE-SU-2019:1079-1, openSUSE-SU-2019:1227-1, openSUSE-SU-2019:1230-1, openSUSE-SU-2019:1275-1, RHSA-2019:0303-01, RHSA-2019:0304-01, SSA:2019-043-01, SUSE-SU-2019:0362-1, SUSE-SU-2019:0495-1, SUSE-SU-2019:0573-1, SUSE-SU-2019:1234-1, SUSE-SU-2019:1264-1, Synology-SA-19:06, VIGILANCE-VUL-28477.

Description of the vulnerability

An attacker can use a vulnerability via FS Descriptors Container Escape of runc, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 28278

Synology DSM Calendar: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Synology DSM Calendar, in order to run JavaScript code in the context of the web site.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/01/2019.
Identifiers: Synology-SA-19:04, VIGILANCE-VUL-28278.

Description of the vulnerability

The Synology DSM Calendar product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Synology DSM Calendar, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2019-6110

OpenSSH scp, PuTTY PSCP: spoofing via Scp Client ANSI Codes stderr File Hidding

Synthesis of the vulnerability

An attacker can spoof displayed filenames on the scp client of OpenSSH and PuTTY, in order to deceive the victim.
Impacted products: IBM i, OpenSSH, openSUSE Leap, Solaris, PuTTY, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***.
Severity: 1/4.
Consequences: disguisement.
Provenance: internet server.
Creation date: 14/01/2019.
Identifiers: bulletinjan2019, CVE-2019-6110, ibm10731015, openSUSE-SU-2019:0091-1, openSUSE-SU-2019:0093-1, SUSE-SU-2019:0125-1, SUSE-SU-2019:0126-1, SUSE-SU-2019:0132-1, SUSE-SU-2019:13931-1, VIGILANCE-VUL-28262.

Description of the vulnerability

An attacker can spoof displayed filenames on the scp client of OpenSSH and PuTTY, in order to deceive the victim.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about DiskStation Manager: