CVE-2017-11150 is found in Office that allows remote authenticated attackers to execute arbitrary command through uploading a crafted file on the vulnerable NAS.
CVSS v3 Base Score: 8.8
- Office 2.2.0-1502 and 2.2.1-1506
- All Synology NAS models
Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents.
Install Document Viewer to replace the vulnerable feature.
- Go to DSM > Package Center and select All.
- Find Document Viewer and click Install button.
To fix the security issues, please go to DSM > Package Center and install the latest version of Office.