Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2013-6955

Summary
Assigner-certcc
Assigner Org ID-37e5125f-f79b-445b-8fad-9564f167944b
Published At-09 Jan, 2014 | 11:00
Updated At-06 Aug, 2024 | 17:53
Rejected At-
Credits

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:certcc
Assigner Org ID:37e5125f-f79b-445b-8fad-9564f167944b
Published At:09 Jan, 2014 | 11:00
Updated At:06 Aug, 2024 | 17:53
Rejected At:
▼CVE Numbering Authority (CNA)

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.kb.cert.org/vuls/id/615910
third-party-advisory
x_refsource_CERT-VN
Hyperlink: http://www.kb.cert.org/vuls/id/615910
Resource:
third-party-advisory
x_refsource_CERT-VN
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.kb.cert.org/vuls/id/615910
third-party-advisory
x_refsource_CERT-VN
x_transferred
Hyperlink: http://www.kb.cert.org/vuls/id/615910
Resource:
third-party-advisory
x_refsource_CERT-VN
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cret@cert.org
Published At:09 Jan, 2014 | 18:07
Updated At:11 Apr, 2025 | 00:51

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.010.0HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
Type: Primary
Version: 2.0
Base score: 10.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
CPE Matches
Synology, Inc.
synology
>>diskstation_manager>>4.0
cpe:2.3:o:synology:diskstation_manager:4.0:*:*:*:*:*:*:*
Synology, Inc.
synology
>>diskstation_manager>>4.2
cpe:2.3:o:synology:diskstation_manager:4.2:*:*:*:*:*:*:*
Synology, Inc.
synology
>>diskstation_manager>>4.3
cpe:2.3:o:synology:diskstation_manager:4.3:*:*:*:*:*:*:*
Synology, Inc.
synology
>>diskstation_manager>>4.3-3810
cpe:2.3:o:synology:diskstation_manager:4.3-3810:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-264Primarynvd@nist.gov
CWE ID: CWE-264
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.kb.cert.org/vuls/id/615910cret@cert.org
US Government Resource
http://www.kb.cert.org/vuls/id/615910af854a3a-2127-422b-91ae-364da2661108
US Government Resource
Hyperlink: http://www.kb.cert.org/vuls/id/615910
Source: cret@cert.org
Resource:
US Government Resource
Hyperlink: http://www.kb.cert.org/vuls/id/615910
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
US Government Resource

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2018-1160
Matching Score-8
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-8
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-88.94% / 99.50%
||
7 Day CHG~0.00%
Published-20 Dec, 2018 | 21:00
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Action-Not Available
Vendor-netatalkNetatalkDebian GNU/LinuxSynology, Inc.
Product-vs960hd_firmwarevs960hddebian_linuxnetatalkdiskstation_managerrouter_managerskynasNetatalk
CWE ID-CWE-787
Out-of-bounds Write
CVE-2015-6912
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-10||HIGH
EPSS-29.73% / 96.47%
||
7 Day CHG~0.00%
Published-11 Sep, 2015 | 16:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi.

Action-Not Available
Vendor-n/aSynology, Inc.
Product-video_stationn/a
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-27660
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-9.6||CRITICAL
EPSS-2.20% / 83.74%
||
7 Day CHG~0.00%
Published-30 Nov, 2020 | 09:30
Updated-17 Sep, 2024 | 04:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.

Action-Not Available
Vendor-Synology, Inc.
Product-safeaccessSafe Access
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2016-6554
Matching Score-8
Assigner-CERT/CC
ShareView Details
Matching Score-8
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-1.83% / 82.17%
||
7 Day CHG~0.00%
Published-13 Jul, 2018 | 20:00
Updated-06 Aug, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Synology NAS servers DS107, DS116, and DS213, use default credentials

Synology NAS servers DS107, firmware version 3.1-1639 and prior, and DS116, DS213, firmware versions prior to 5.2-5644-1, use non-random default credentials of: guest:(blank) and admin:(blank) . A remote network attacker can gain privileged access to a vulnerable device.

Action-Not Available
Vendor-Synology, Inc.
Product-ds213ds213_firmwareds116ds107_firmwareds116_firmwareds107NAS server DS213NAS server DS116NAS server DS107
CWE ID-CWE-255
Not Available
CVE-2021-29089
Matching Score-8
Assigner-Synology Inc.
ShareView Details
Matching Score-8
Assigner-Synology Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.02% / 76.35%
||
7 Day CHG~0.00%
Published-02 Jun, 2021 | 02:15
Updated-16 Sep, 2024 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-photo_stationSynology Photo Station
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Details not found