Synology DiskStation Manager is prone to multiple vulnerabilities.

Please see the references for details about the impact.

Vendor updates are available.

Synology DSM versions 4.3-3776 and below suffer from remote file download, content disclosure, cross site scripting, and command injection vulnerabilities.

Synology DSM versions 4.3-3776 and below.

Tries to read /etc/synoinfo.conf by sending a special crafted HTTP GET request.

• http://packetstormsecurity.com/files/123182/Synology-DSM-4.3-3776-XSS-File-Disclosure-Command-Injection.html
• http://www.synology.com/enu/index.php

---

Updated on 2015-03-25