Synology-SA-17:63 Photo Station
Publish Time: 2017-11-06 16:35:28 UTC+8
Last Updated: 2017-12-04 10:27:14 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
Multiple security vulnerabilities have been found in Photo Station, and may allow remote attackers to read arbitrary files, or obtain sensitive system information from a vulnerable version of Synology Photo Station.
Severity
- CVE-2017-12079
- Impact: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CVE-2017-12080
- Impact: Moderate
- CVSS3 Base Score: 5.3
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected
- Products
- Photo Station before 6.8.1-3458 and before 6.3-2970
Description
- CVE-2017-12079
Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field. - CVE-2017-12080
An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.
Mitigation
None
Update Availability
To fix the security issue, please go to DSM > Package Center and update Photo Station to 6.8.1-3458 or above or 6.3-2970 or above.