Synology-SA-17:63 Photo Station

Publish Time: 2017-11-06 16:35:28 UTC+8

Last Updated: 2017-12-04 10:27:14 UTC+8

Severity
Moderate
Status
Resolved

Abstract

Multiple security vulnerabilities have been found in Photo Station, and may allow remote attackers to read arbitrary files, or obtain sensitive system information from a vulnerable version of Synology Photo Station.

Severity

Affected

  • Products
    • Photo Station before 6.8.1-3458 and before 6.3-2970

Description

  • CVE-2017-12079
    Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field.
  • CVE-2017-12080
    An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update Photo Station to 6.8.1-3458 or above or 6.3-2970 or above.