CVE-2019-11821

Name of the Vulnerable Software and Affected Versions Synology Photo Station versions prior to 6.8.11-3489 Synology Photo Station versions prior to 6.3-2977

Description The issue allows remote attackers to execute arbitrary SQL commands via the type parameter in the synophoto csPhotoDB.php file. This enables attackers to manipulate the database, potentially leading to unauthorized data access or modification.

Recommendations For versions prior to 6.8.11-3489, update to version 6.8.11-3489 or later. For versions prior to 6.3-2977, update to version 6.3-2977 or later. As a temporary workaround, consider restricting access to the synophoto csPhotoDB.php file to minimize the risk of exploitation. Avoid using the type parameter in the affected API endpoint until the issue is resolved.