Synology-SA-19:01 Photo Station
Publish Time: 2019-01-02 11:16:52 UTC+8
Last Updated: 2019-06-30 22:56:08 UTC+8
These vulnerabilities allow remote attackers to execute arbitrary SQL commands and remote authenticated users to upload arbitrary files via a susceptible version of Photo Station.
|Product||Severity||Fixed Release Availability|
|Photo Station 6.8||Important||Upgrade to 6.8.11-3489 or above.|
|Photo Station 6.3||Important||Upgrade to 6.3-2977 or above.|
- Severity: Important
- CVSS3 Base Score: 7.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
|1||2019-01-02||Initial public release.|
|2||2019-06-30||Disclosed vulnerability details.|