*SSD Advisory – Synology Photo Station Unauthenticated Remote Code Execution* *Full report*: https://blogs.securiteam.com/index.php/archives/3356 *Twitter account*: @SecuriTeam_SSD *Vulnerability Summary*The following advisory describes a Remote Code Execution found in Synology Photo Station versions 6.7.3-3432 and earlier / 6.3-2967 and earlier. Personal Photo Station is an online photo album with blog owned and managed by a DSM user. Synology NAS provides the home/photo folder for you to store photos and videos that you want to share. The system will create index thumbnails of the photos and videos automatically, and then people can view photo albums via a web browser. *Credit* An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program *Vendor response*The vendor has released patches to address this vulnerability. For more details: https://www.synology.com/zh-tw/support/security/Synology_SA_17_34_PhotoSation *CVE’s*: CVE-2017-11151 CVE-2017-11152 CVE-2017-11153 CVE-2017-11154 CVE-2017-11155 -- Thanks Maor Shwartz GPG Key ID: 93CC36E2DE7FF514
Attachment:
SSD Advisory – Synology Photo Station Unauthenticated Remote Code Execution – SecuriTeam Blogs.pdf
Description: Adobe PDF document
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/