CVE-2017-15894

Name of the Vulnerable Software and Affected Versions Synology DiskStation Manager (DSM) versions 6.0.x before 6.0.3-8754-3 Synology DiskStation Manager (DSM) versions 5.2-5967-6 and earlier

Description A directory traversal issue in the SYNO.FileStation.Extract component allows remote authenticated users to write arbitrary files via the dest folder path parameter. This enables attackers to potentially overwrite system files or create new files in unintended locations.

Recommendations For Synology DiskStation Manager (DSM) versions 6.0.x before 6.0.3-8754-3, update to version 6.0.3-8754-3 or later. For Synology DiskStation Manager (DSM) versions 5.2-5967-6 and earlier, update to version 5.2-5967-6 or later. As a temporary workaround, consider restricting access to the SYNO.FileStation.Extract component until a patch is applied. Avoid using the dest folder path parameter in the affected API endpoint until the issue is resolved.