Synology-SA-20:20 Photo Station

Publish Time: 2020-09-15 16:25:29 UTC+8

Last Updated: 2021-07-01 14:47:14 UTC+8

Severity
Critical
Status
Resolved

Abstract

Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Photo Station.

Affected Products

Product Severity Fixed Release Availability
Photo Station 6.8[1] Critical Upgrade to 6.8.14-3500 or above.

[1] Photo Station 6.3 has reached End-of-Life (EOL) status since 2019-07-01. For user who uses Photo Station 6.3, please upgrade to DSM 6.2 for the latest Photo Station 6.8.

Mitigation

None

Detail

  • CVE-2021-29089

    • Severity: Critical
    • CVSS3 Base Score: 9.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in thumbnail component in Synology Photo Station before 6.8.14-3500 allows remote attackers users to execute arbitrary SQL commands via unspecified vectors.
  • CVE-2021-29090

    • Severity: Important
    • CVSS3 Base Score: 7.2
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    • Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors.
  • CVE-2021-29091

    • Severity: Important
    • CVSS3 Base Score: 7.7
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
    • Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to write arbitrary files via unspecified vectors.
  • CVE-2021-29092

    • Severity: Important
    • CVSS3 Base Score: 8.8
    • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • Unrestricted upload of file with dangerous type vulnerability in file management component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary code via unspecified vectors.

Acknowledgement

Bing-Jhong Jheng

Revision

Revision Date Description
1 2020-09-15 Initial public release.
2 2021-06-30 Disclosed vulnerability details.