CVE-2013-6987

Name of the Vulnerable Software and Affected Versions Synology DiskStation Manager (DSM) versions prior to 4.3-3810 Update 3

Description Multiple directory traversal vulnerabilities in the FileBrowser components allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the path parameter to "file delete.cgi" or folder path parameter to "file share.cgi" in "webapi/FileStation/"; the dlink parameter to "fbdownload/"; or unspecified parameters to "html5 upload.cgi", "file download.cgi", "file sharing.cgi", "file MVCP.cgi", or "file rename.cgi" in "webapi/FileStation/".

Recommendations For versions prior to 4.3-3810 Update 3, update to version 4.3-3810 Update 3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable "webapi/FileStation/" endpoints until a patch is available. Avoid using the path and folder path parameters in the affected API endpoints until the issue is resolved. Restrict access to the fbdownload/ endpoint to minimize the risk of exploitation.