Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32503
HistorySep 14, 2015 - 12:00 a.m.

Synology Video Station command injection and multiple SQL injection vulnerabilities

2015-09-1400:00:00
vulners.com
19
JSON

Synology Video Station command injection and multiple SQL injection
vulnerabilities

Han Sahin, September 2015

Abstract

It was discovered that Synology Video Station is vulnerable to command
injection that allows an attacker to execute arbitrary system commands
with root privileges. In addition, Video Station is affected by multiple
SQL injection vulnerabilities that allows for execution of arbitrary SQL
statements with DBA privileges. As a result it is possible to compromise
the PostgreSQL database server.

Affected versions

These issues affect Synology Video Station version up to and including
version 1.5-0757.

Fix

Synology has reported that these issue have been resolved in:

  • Video Station version 1.5-0757 [audiotrack.cgi]
  • Video Station version 1.5-0763 [watchstatus.cgi]
  • Video Station version 1.5-0763 [subtitle.cgi]

Details

https://www.securify.nl/advisory/SFY20150810/synology_video_station_command_injection_and_multiple_sql_injection_vulnerabilities.html

JSON