ID de Prueba:	1.3.6.1.4.1.25623.1.0.105280
Categoría:	Web application abuses
Título:	Synology Photo Station Command Injection and multiple Cross Site Scripting Vulnerabilities
Resumen:	Synology Photo Station is prone to a command;injection vulnerability and multiple cross-site scripting vulnerabilities;because it fails to sanitize user-supplied input.
Descripción:	Summary: Synology Photo Station is prone to a command injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. Vulnerability Insight: Multiple errors exist due to insufficient validation of input passed via 'success' parameter to login.php script, 't' parameter to /photo/index.php script and 'description' POST parameter to photo.php script. Vulnerability Impact: An attacker may leverage the XSS issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affectedasite. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The Command Injection vulnerability allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS. Affected Software/OS: Photo Station 6 < 6.3-2945 Solution: Update to 6.3-2945 or newer. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2015-4656 BugTraq ID: 74816 http://www.securityfocus.com/bid/74816 http://seclists.org/fulldisclosure/2015/May/110 https://www.securify.nl/advisory/SFY20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html
Copyright	Copyright (C) 2015 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.