Version All versions prior to version 6.5.3-3226

CVE-2016-10329

Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to execute arbitrary code via shell metacharacters in the crafted 'X-Forwarded-For' header.

UNKNOWN Published May 12, 2017

CVE-2016-10330

Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.

UNKNOWN Published May 12, 2017

CVE-2016-10331

Directory traversal vulnerability in download.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to read arbitrary files via a full pathname in the id parameter.

UNKNOWN Published May 12, 2017