The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of DiskStation Manager

vulnerability announce CVE-2019-1125

Intel 64-bit CPU: information disclosure via SWAPGS

Synthesis of the vulnerability

A local attacker can read a memory fragment via SWAPGS of Intel 64-bit CPU, in order to obtain sensitive information.
Impacted products: SNS, Arkoon FAST360, Debian, BIG-IP Hardware, TMOS, Fedora, Linux, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 2019, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, NETASQ, OpenBSD, openSUSE Leap, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 07/08/2019.
Identifiers: CERTFR-2019-AVI-375, CERTFR-2019-AVI-376, CERTFR-2019-AVI-381, CERTFR-2019-AVI-390, CERTFR-2019-AVI-391, CERTFR-2019-AVI-392, CERTFR-2019-AVI-417, CERTFR-2019-AVI-418, CERTFR-2019-AVI-428, CERTFR-2019-AVI-440, CVE-2019-1125, DLA-1884-1, DLA-1885-1, DSA-4495-1, DSA-4497-1, FEDORA-2019-6bda4c81f4, FEDORA-2019-e37c348348, K31085564, openSUSE-SU-2019:1923-1, openSUSE-SU-2019:1924-1, RHSA-2019:2405-01, RHSA-2019:2411-01, RHSA-2019:2473-01, RHSA-2019:2476-01, RHSA-2019:2600-01, RHSA-2019:2609-01, RHSA-2019:2695-01, RHSA-2019:2696-01, RHSA-2019:2730-01, SSA:2019-226-01, STORM-2019-007, SUSE-SU-2019:14157-1, SUSE-SU-2019:2068-1, SUSE-SU-2019:2069-1, SUSE-SU-2019:2070-1, SUSE-SU-2019:2071-1, SUSE-SU-2019:2072-1, SUSE-SU-2019:2073-1, SUSE-SU-2019:2262-1, SUSE-SU-2019:2263-1, SUSE-SU-2019:2299-1, SWAPGS, Synology-SA-19:32, USN-4093-1, USN-4094-1, USN-4095-1, USN-4095-2, USN-4096-1, VIGILANCE-VUL-29962.

Description of the vulnerability

A local attacker can read a memory fragment via SWAPGS of Intel 64-bit CPU, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-11821 CVE-2019-11822

Synology DSM Photo Station: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Synology DSM Photo Station.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 01/07/2019.
Identifiers: CVE-2019-11821, CVE-2019-11822, Synology-SA-19:01, VIGILANCE-VUL-29658.

Description of the vulnerability

An attacker can use several vulnerabilities of Synology DSM Photo Station.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 29496

Synology DSM Photo Station: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Synology DSM Photo Station, in order to escalate his privileges.
Impacted products: Synology DSM.
Severity: 2/4.
Consequences: privileged access/rights, data reading.
Provenance: document.
Creation date: 11/06/2019.
Identifiers: Synology-SA-19:26, VIGILANCE-VUL-29496.

Description of the vulnerability

An attacker can bypass restrictions of Synology DSM Photo Station, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-12126 CVE-2018-12127 CVE-2018-12130

Intel processors: information disclosure via performance measurement

Synthesis of the vulnerability

An attacker can measure performances of his process, in order to get sensitive information about other process or, if the host is virtualized, about other guest systems.
Impacted products: XenServer, Debian, Fedora, FortiAnalyzer, FortiGate, FortiManager, FortiOS, FreeBSD, HP ProLiant, QRadar SIEM, Linux, McAfee Email Gateway, McAfee NSM, McAfee NSP, McAfee NTBA, McAfee Web Gateway, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 2019, Windows 7, Windows 8, Windows RT, OpenBSD, openSUSE Leap, PAN-OS, pfSense, RHEL, SIMATIC, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, ESXi, vCenter Server, VMware vSphere Hypervisor, Xen.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/05/2019.
Revision date: 15/05/2019.
Identifiers: 1074268, CERTFR-2019-AVI-209, CERTFR-2019-AVI-211, CERTFR-2019-AVI-212, CERTFR-2019-AVI-213, CERTFR-2019-AVI-215, CERTFR-2019-AVI-217, CERTFR-2019-AVI-229, CERTFR-2019-AVI-230, CERTFR-2019-AVI-233, CERTFR-2019-AVI-311, CTX251995, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, DLA-1787-1, DLA-1789-1, DLA-1789-2, DLA-1799-1, DLA-1799-2, DSA-4444-1, DSA-4447-1, DSA-4447-2, FEDORA-2019-0731828893, FEDORA-2019-1f5832fc0e, FEDORA-2019-640f8d8dd1, FEDORA-2019-6458474bf2, FEDORA-2019-c36afa818c, FEDORA-2019-e6bf55e821, FEDORA-2019-eb08fb0c5f, FG-IR-18-002, FreeBSD-SA-19:07.mds, HPESBHF03933, INTEL-SA-00233, openSUSE-SU-2019:1402-1, openSUSE-SU-2019:1403-1, openSUSE-SU-2019:1404-1, openSUSE-SU-2019:1405-1, openSUSE-SU-2019:1407-1, openSUSE-SU-2019:1408-1, openSUSE-SU-2019:1419-1, openSUSE-SU-2019:1420-1, openSUSE-SU-2019:1468-1, openSUSE-SU-2019:1505-1, openSUSE-SU-2019:1805-1, openSUSE-SU-2019:1806-1, PAN-SA-2019-0012, RHSA-2019:1155-01, RHSA-2019:1167-01, RHSA-2019:1168-01, RHSA-2019:1169-01, RHSA-2019:1170-01, RHSA-2019:1171-01, RHSA-2019:1172-01, RHSA-2019:1174-01, RHSA-2019:1175-01, RHSA-2019:1176-01, RHSA-2019:1177-01, RHSA-2019:1178-01, RHSA-2019:1180-01, RHSA-2019:1181-01, RHSA-2019:1182-01, RHSA-2019:1183-01, RHSA-2019:1184-01, RHSA-2019:1185-01, RHSA-2019:1186-01, RHSA-2019:1187-01, RHSA-2019:1188-01, RHSA-2019:1189-01, RHSA-2019:1190-01, RHSA-2019:1193-01, RHSA-2019:1194-01, RHSA-2019:1195-01, RHSA-2019:1196-01, RHSA-2019:1197-01, RHSA-2019:1198-01, SB10292, SSA-616472, SUSE-SU-2019:1235-1, SUSE-SU-2019:1236-1, SUSE-SU-2019:1238-1, SUSE-SU-2019:1239-1, SUSE-SU-2019:1240-1, SUSE-SU-2019:1241-1, SUSE-SU-2019:1242-1, SUSE-SU-2019:1243-1, SUSE-SU-2019:1244-1, SUSE-SU-2019:1245-1, SUSE-SU-2019:1248-1, SUSE-SU-2019:1268-1, SUSE-SU-2019:1269-1, SUSE-SU-2019:1272-1, SUSE-SU-2019:1287-1, SUSE-SU-2019:1289-1, SUSE-SU-2019:1296-1, SUSE-SU-2019:1313-1, SUSE-SU-2019:1347-1, SUSE-SU-2019:1348-1, SUSE-SU-2019:1349-1, SUSE-SU-2019:1356-1, SUSE-SU-2019:1371-1, SUSE-SU-2019:14048-1, SUSE-SU-2019:14051-1, SUSE-SU-2019:14052-1, SUSE-SU-2019:14063-1, SUSE-SU-2019:14133-1, SUSE-SU-2019:1423-1, SUSE-SU-2019:1438-1, SUSE-SU-2019:1452-1, SUSE-SU-2019:1490-1, SUSE-SU-2019:1547-1, SUSE-SU-2019:1550-1, SUSE-SU-2019:1909-1, SUSE-SU-2019:1910-1, SUSE-SU-2019:1954-1, Synology-SA-19:24, USN-3977-1, USN-3977-2, USN-3977-3, USN-3978-1, USN-3979-1, USN-3980-1, USN-3981-1, USN-3981-2, USN-3982-1, USN-3982-2, USN-3983-1, USN-3983-2, USN-3984-1, USN-3985-1, USN-3985-2, VIGILANCE-VUL-29300, VMSA-2019-0008, XSA-297, ZombieLoad.

Description of the vulnerability

An attacker can measure performances of his process, in order to get sensitive information about other process or, if the host is virtualized, about other guest systems.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-16860

Samba: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on Samba, in order to read or write data in the session.
Impacted products: iOS by Apple, iPhone, Mac OS X, Debian, Fedora, openSUSE Leap, Samba, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: intranet client.
Creation date: 14/05/2019.
Identifiers: CERTFR-2019-AVI-206, CVE-2018-16860, DLA-1788-1, DSA-4443-1, DSA-4455-1, FEDORA-2019-208cc34d40, FEDORA-2019-307e117a2e, HT210346, HT210348, openSUSE-SU-2019:1682-1, openSUSE-SU-2019:1688-1, openSUSE-SU-2019:1888-1, Synology-SA-19:23, USN-3976-1, USN-3976-2, USN-3976-3, USN-3976-4, VIGILANCE-VUL-29289.

Description of the vulnerability

An attacker can act as a Man-in-the-Middle on Samba, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-5743

ISC BIND: measure against denial of service ineffective

Synthesis of the vulnerability

An attacker can bypass restrictions to the amount of simultaneous TCP connections to ISC BIND, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, IBM i, BIND, openSUSE Leap, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 25/04/2019.
Identifiers: CERTFR-2019-AVI-187, CVE-2018-5743, DLA-1859-1, DSA-4440-1, ibm10883384, K74009656, openSUSE-SU-2019:1532-1, openSUSE-SU-2019:1533-1, RHSA-2019:1145-01, RHSA-2019:1294-01, RHSA-2019:1492-01, RHSA-2019:2698-01, SSA:2019-116-01, SUSE-SU-2019:1407-1, SUSE-SU-2019:14074-1, SUSE-SU-2019:1449-1, Synology-SA-19:20, USN-3956-1, USN-3956-2, VIGILANCE-VUL-29129.

Description of the vulnerability

An attacker can bypass restrictions to the amount of simultaneous TCP connections to ISC BIND, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-10909 CVE-2019-11358

jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, openSUSE Leap, Red Hat SSO, SLES, Symfony, Synology DSM, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2019-10911

Symfony, Drupal: privilege escalation via the "remember me" cookie

Synthesis of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10911, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29065.

Description of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-10910

Symfony, Drupal: code execution via service IDs

Synthesis of the vulnerability

An attacker can use a vulnerability via service IDs of Symfony or Drupal, in order to run code.
Impacted products: Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10910, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29064.

Description of the vulnerability

An attacker can use a vulnerability via service IDs of Symfony or Drupal, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-11358

jQuery Core: privilege escalation via Object.prototype Pollution

Synthesis of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Impacted products: Debian, Drupal Core, eZ Platform, Fedora, jQuery Core, SnapCenter Backup Management, openSUSE Leap, Oracle Communications, WebLogic, RabbitMQ, Red Hat SSO, SLES, Synology DSM, Telerik.Web.UI.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: document.
Creation date: 11/04/2019.
Identifiers: cpujul2019, CVE-2019-11358, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4460-1, EZSA-2019-005, FEDORA-2019-2a0ce0c58c, FEDORA-2019-a06dffab1c, FEDORA-2019-f563e66380, NTAP-20190919-0001, openSUSE-SU-2019:1839-1, openSUSE-SU-2019:1872-1, RHSA-2019:1456-01, Synology-SA-19:19, VIGILANCE-VUL-29030.

Description of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about DiskStation Manager: